Some updates

- auditd: migrate rules using deprecated syntax (`-w`, `-p` and `-k`).
  Also clean them up.
- nftables: remove the usage of nexthdr for matching ipv6 packets. Also
  allow DHCP client traffic, IGMP and multicast DNS.

TODO.md

@@ -20,7 +20,7 @@ Stuff that are planned to be added/changed.
 
 ## Cosmetic
 
-- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook (need <https://github.com/digitalocean/go-libvirt/issues/171> implemented first)
+- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook
 
 ## Just in case I forget
 

requirements/accepted_variables.yml

@@ -53,6 +53,7 @@ crond_provider:
 
 syslog_provider:
   - busybox
+  - logbookd
   - rsyslog
   - sysklogd
 

roles/auditd/templates/audit.rules.j2

@@ -23,24 +23,24 @@
 
 ## Audit the audit logs
 ### Successful and unsuccessful attempts to read information from the audit records
--w /var/log/audit/ -p wra -k auditlog
+-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=wra -F key=auditlog
 
 ## Auditd configuration
 ### Modifications to audit configuration that occur while the audit collection functions are operating
--w /etc/audit/ -p wa -k auditconfig
+-a always,exit -F arch=b64 -F dir=/etc/audit/ -F perm=wa -F key=auditconfig
--w /etc/libaudit.conf -p wa -k auditconfig
+-a always,exit -F arch=b64 -F path=/etc/libaudit.conf -F perm=wa -F key=auditconfig
 
 ## Monitor for use of audit management tools
--w /usr/sbin/auditctl -p x -k audittools
+-a always,exit -F arch=b64 -F path=/usr/sbin/auditctl -F perm=x -F key=audittools
--w /usr/sbin/auditd -p x -k audittools
+-a always,exit -F arch=b64 -F path=/usr/sbin/auditd -F perm=x -F key=audittools
--w /usr/sbin/augenrules -p x -k audittools
+-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools
 
 ## Access to all audit trails
--a always,exit -F path=/usr/sbin/ausearch -F perm=x -k auditlog_local_access
+-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access
--a always,exit -F path=/usr/sbin/aureport -F perm=x -k auditlog_local_access
+-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access
--a always,exit -F path=/usr/bin/aulast -F perm=x -k auditlog_local_access
+-a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access
--a always,exit -F path=/usr/bin/aulastlog -F perm=x -k auditlog_local_access
+-a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access
--a always,exit -F path=/usr/bin/auvirt -F perm=x -k auditlog_local_access
+-a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access
 
 # Filters ---------------------------------------------------------------------
 
@@ -59,80 +59,78 @@
 {% endif %}
 
 ## High Volume Event Filter (especially on Linux Workstations)
--a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
+-a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess
--a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
+-a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm
 
 # Rules -----------------------------------------------------------------------
 
 ## Kernel parameters
--w /etc/sysctl.conf -p wa -k sysctl
+-a always,exit -F arch=b64 -F path=/etc/sysctl.conf -F perm=wa -F key=sysctl
--w /etc/sysctl.d -p wa -k sysctl
+-a always,exit -F arch=b64 -F dir=/etc/sysctl.d/ -F perm=wa -F key=sysctl
 
 # Kernel module loading and unloading
--a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
+-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/insmod -F key=modules
--a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
+-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/modprobe -F key=modules
--a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
+-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/rmmod -F key=modules
--a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
+-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -F key=modules
 
 ## Modprobe configuration
--w /etc/modprobe.conf -p wa -k modprobe
+-a always,exit -F arch=b64 -F path=/etc/modprobe.conf -F perm=wa -F key=modprobe
--w /etc/modprobe.d -p wa -k modprobe
+-a always,exit -F arch=b64 -F dir=/etc/modprobe.d/ -F perm=wa -F key=modprobe
 
 ## KExec usage (all actions)
--a always,exit -F arch=b64 -S kexec_load -k KEXEC
+-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC
 
 ## Special files
--a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles
+-a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles
 
 ## Mount operations (only attributable)
--a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
+-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -F key=mount
 
 ## Change swap (only attributable)
--a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
+-a always,exit -F arch=b64 -S swapon,swapoff -F auid!=-1 -F key=swap
 
 ## Time
--a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time
+-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex,settimeofday,clock_settime -F key=time
 ### Local time zone
--w /etc/localtime -p wa -k localtime
+-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime
 
 ## Cron configuration & scheduled jobs
--w /etc/fcron.allow -p wa -k cron
+-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron
--w /etc/fcron.deny -p wa -k cron
+-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron
--w /etc/cron.allow -p wa -k cron
+-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron
--w /etc/cron.deny -p wa -k cron
+-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron
--w /etc/crontabs -p wa -k cron
+-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron
--w /etc/cron.d -p wa -k cron
+-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron
--w /var/spool/cron/ -p wa -k cron
+-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron
--w /etc/periodic/15min/ -p wa -k cron
+-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron
--w /etc/periodic/hourly/ -p wa -k cron
--w /etc/periodic/daily/ -p wa -k cron
--w /etc/periodic/weekly/ -p wa -k cron
--w /etc/periodic/monthly/ -p wa -k cron
 
 ## User, group, password databases
--w /etc/group -p wa -k etcgroup
+-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup
--w /etc/passwd -p wa -k etcpasswd
+-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F key=etcpasswd
--w /etc/shadow -k etcpasswd
+-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=etcpasswd
 
-# doas.conf file changes
+# Changes to the privilege escalation programs' configurations
--w /etc/doas.conf -p wa -k actions
+-a always,exit -F arch=b64 -F path=/etc/doas.conf -F perm=wa -F key=actions
--w /etc/doas.d/ -p wa -k actions
+-a always,exit -F arch=b64 -F path=/etc/please.ini -F perm=wa -F key=actions
+-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=actions
+-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=actions
 
 ## Passwd
--w /usr/bin/passwd -p x -k passwd_modification
+-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F key=passwd_modification
 
 ## Tools to change group identifiers
--w /usr/sbin/addgroup -p x -k group_modification
+-a always,exit -F arch=b64 -F path=/usr/sbin/addgroup -F perm=x -F key=group_modification
--w /usr/sbin/adduser -p x -k user_modification
+-a always,exit -F arch=b64 -F path=/usr/sbin/adduser -F perm=x -F key=user_modification
--w /usr/sbin/delgroup -p x -k user_modification
+-a always,exit -F arch=b64 -F path=/usr/sbin/delgroup -F perm=x -F key=user_modification
--w /usr/sbin/deluser -p x -k user_modification
+-a always,exit -F arch=b64 -F path=/usr/sbin/deluser -F perm=x -F key=user_modification
 
 ## Login configuration and information
--w /etc/securetty -p wa -k login
+-a always,exit -F arch=b64 -F path=/etc/securetty -F perm=wa -F key=login
 
 ## Network Environment
 ### Changes to hostname
--a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
+-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=network_modifications
 
 ### Successful IPv4 Connections
 -a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4
@@ -141,68 +139,70 @@
 -a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6
 
 ### Changes to other files
--w /etc/hosts -p wa -k network_modifications
+-a always,exit -F arch=b64 -F path=/etc/hosts -F perm=wa -F key=network_modifications
--w /etc/netconfig -p wa -k network_modifications
+-a always,exit -F arch=b64 -F path=/etc/netconfig -F perm=wa -F key=network_modifications
--w /etc/network/ -p wa -k network
+-a always,exit -F arch=b64 -F dir=/etc/network/ -F perm=wa -F key=network
 
 ### Changes to issue
--w /etc/issue -p wa -k etcissue
+-a always,exit -F arch=b64 -F path=/etc/issue -F perm=wa -F key=etcissue
 
 ## System startup scripts and service configurations
--w /etc/inittab -p wa -k init
+-a always,exit -F arch=b64 -F path=/etc/inittab -F perm=wa -F key=init
--w /etc/init.d/ -p wa -k init
+-a always,exit -F arch=b64 -F dir=/etc/init.d/ -F perm=wa -F key=init
--w /etc/conf.d/ -p wa -k init
+-a always,exit -F arch=b64 -F dir=/etc/conf.d/ -F perm=wa -F key=init
 
 ## Pam configuration
--w /etc/pam.d/ -p wa -k pam
+-a always,exit -F arch=b64 -F dir=/etc/pam.d/ -F perm=wa -F key=pam
--w /etc/security/limits.conf -p wa  -k pam
+-a always,exit -F arch=b64 -F path=/etc/security/limits.conf -F perm=wa -F key=pam
--w /etc/security/limits.d -p wa  -k pam
+-a always,exit -F arch=b64 -F path=/etc/security/limits.d -F perm=wa -F key=pam
--w /etc/security/pam_env.conf -p wa -k pam
+-a always,exit -F arch=b64 -F path=/etc/security/pam_env.conf -F perm=wa -F key=pam
--w /etc/security/namespace.conf -p wa -k pam
+-a always,exit -F arch=b64 -F path=/etc/security/namespace.conf -F perm=wa -F key=pam
--w /etc/security/namespace.d -p wa -k pam
+-a always,exit -F arch=b64 -F path=/etc/security/namespace.d -F perm=wa -F key=pam
--w /etc/security/namespace.init -p wa -k pam
+-a always,exit -F arch=b64 -F path=/etc/security/namespace.init -F perm=wa -F key=pam
 
 ## Critical elements access failures
--a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess
+-a always,exit -F arch=b64 -S open -F dir=/etc/ -F success=0 -F key=unauthedfileaccess
--a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess
+-a always,exit -F arch=b64 -S open -F dir=/bin/ -F success=0 -F key=unauthedfileaccess
--a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess
+-a always,exit -F arch=b64 -S open -F dir=/sbin/ -F success=0 -F key=unauthedfileaccess
--a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess
+-a always,exit -F arch=b64 -S open -F dir=/usr/bin/ -F success=0 -F key=unauthedfileaccess
--a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess
+-a always,exit -F arch=b64 -S open -F dir=/usr/sbin/ -F success=0 -F key=unauthedfileaccess
--a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess
+-a always,exit -F arch=b64 -S open -F dir=/var/ -F success=0 -F key=unauthedfileaccess
--a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess
+-a always,exit -F arch=b64 -S open -F dir=/home/ -F success=0 -F key=unauthedfileaccess
 
 ## Process ID change (switching accounts) applications
--w /bin/su -p x -k priv_esc
+-a always,exit -F arch=b64 -F path=/bin/su -F perm=x -F key=priv_esc
--w /usr/bin/doas -p x -k priv_esc
+-a always,exit -F arch=b64 -F path=/usr/bin/doas -F perm=x -F key=priv_esc
--w /etc/doas.conf -p rw -k priv_esc
+-a always,exit -F arch=b64 -F path=/usr/bin/please -F perm=x -F key=priv_esc
--w /etc/doas.d/ -p rw -k priv_esc
+-a always,exit -F arch=b64 -F path=/usr/bin/pleaseedit -F perm=x -F key=priv_esc
+-a always,exit -F arch=b64 -F path=/usr/bin/sudo -F perm=x -F key=priv_esc
+-a always,exit -F arch=b64 -F path=/usr/bin/sudoedit -F perm=x -F key=priv_esc
 
 ## Power state
--w /sbin/poweroff -p x -k power
+-a always,exit -F arch=b64 -F path=/sbin/poweroff -F perm=x -F key=power
--w /sbin/reboot -p x -k power
+-a always,exit -F arch=b64 -F path=/sbin/reboot -F perm=x -F key=power
--w /sbin/halt -p x -k power
+-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power
 
 ## Session initiation information
--w /var/log/swtmp -p wa -k session
+-a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session
 
 # Special Rules ---------------------------------------------------------------
 
 ## dbus-send invocation
 ### may indicate privilege escalation CVE-2021-3560
--w /usr/bin/dbus-send -p x -k dbus_send
+-a always,exit -F arch=b64 -F path=/usr/bin/dbus-send -F perm=x -F key=dbus_send
--w /usr/bin/gdbus -p x -k gdubs_call
+-a always,exit -F arch=b64 -F path=/usr/bin/gdbus -F perm=x -F key=gdubs_call
 
 ## pkexec invocation
 ### may indicate privilege escalation CVE-2021-4034
--w /usr/bin/pkexec -p x -k pkexec
+-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=pkexec
 
 ## Injection
 ### These rules watch for code injection by the ptrace facility.
 ### This could indicate someone trying to do something bad or just debugging
--a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code_injection
--a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data_injection
--a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register_injection
--a always,exit -F arch=b64 -S ptrace -k tracing
+-a always,exit -F arch=b64 -S ptrace -F key=tracing
 
 ## Anonymous File Creation
 ### These rules watch the use of memfd_create
@@ -212,24 +212,17 @@
 
 ## Privilege Abuse
 ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
--a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -k power_abuse
+-a always,exit -F dir=/home/ -F auid=0 -F auid>=1000 -F auid!=-1 -F key=power_abuse
 
 # Socket Creations
 # will catch both IPv4 and IPv6
--a always,exit -F arch=b64 -S socket -F a0=2  -k exfiltration_over_other_network_medium
+-a always,exit -F arch=b64 -S socket -F a0=2 -F key=exfiltration_over_other_network_medium
--a always,exit -F arch=b64 -S socket -F a0=10 -k exfiltration_over_other_network_medium
+-a always,exit -F arch=b64 -S socket -F a0=10 -F key=exfiltration_over_other_network_medium
 
 # Software Management ---------------------------------------------------------
--w /usr/bin/flatpak -p x -k software_mgmt
+-a always,exit -F arch=b64 -F path=/usr/bin/flatpak -F perm=x -F key=software_mgmt
--w /sbin/apk -p x -k software_mgmt
+-a always,exit -F arch=b64 -F path=/sbin/apk -F perm=x -F key=software_mgmt
--w /etc/apk/ -p wa -k software_mgmt
+-a always,exit -F arch=b64 -F dir=/etc/apk/ -F perm=wa -F key=software_mgmt
-
-# Special Software ------------------------------------------------------------
-
-## Virtualization stuff
--w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64
--w /usr/bin/qemu-img -p x -k qemu-img
--w /usr/bin/virt-manager -p x -k virt-manager
 
 # High Volume Events ----------------------------------------------------------
 
@@ -237,23 +230,23 @@
 
 ## File Access
 ### Unauthorized Access (unsuccessful)
--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=file_access
--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=file_access
 
 ### Unsuccessful Creation
--a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
+-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=file_creation
--a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
+-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=file_creation
 
 ### Unsuccessful Modification
--a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
+-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -F key=file_modification
--a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
+-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -F key=file_modification
 
 ## 32bit API Exploitation
 ### If you are on a 64 bit platform, everything _should_ be running
 ### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
 ### because this might be a sign of someone exploiting a hole in the 32
 ### bit API.
--a always,exit -F arch=b32 -S all -k 32bit_api
+-a always,exit -F arch=b32 -S all -F key=32bit_api
 
 # Make The Configuration Immutable --------------------------------------------
 

roles/libvirt/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: libvirt | Install libvirt and qemu
   community.general.apk:
-    name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules
+    name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-system-arm, qemu-system-aarch64, qemu-modules
     state: present
 
 # This is for PulseAudio

roles/nftables/templates/nftables.j2

@@ -76,7 +76,12 @@ table inet filter {
         iif != lo ip6 daddr ::1/128 drop \
         comment "Block spoofing as localhost (IPv6)"
 
-        # Allow stuff first before the dynamic blacklisting
+        udp dport mdns ip daddr 224.0.0.251 accept \
+        comment "Accept mDNS"
+        udp dport mdns ip6 daddr ff02::fb accept \
+        comment "Accept mDNS"
+
+        jump input_dhcp_client
         jump input_icmp
 
         # Blacklisting should be done before stateful accept rules
@@ -120,8 +125,17 @@ table inet filter {
         type filter hook output priority 0; policy accept;
     }
 
+    chain input_dhcp_client {
+        udp sport 67 udp dport 68 accept \
+        comment "Accept DHCP client input traffic"
+
+        ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
+        comment "Accept DHCPv6 replies from IPv6 link-local addresses"
+    }
+
     chain input_icmp {
-        # ICMPv4
+        ip protocol igmp accept \
+        comment "Accept IGMP"
 
         ip protocol icmp icmp type {
             echo-reply,  # type 0
@@ -132,9 +146,7 @@ table inet filter {
         } limit rate 10/second burst 4 packets accept \
         comment "Accept ICMP"
 
-        # ICMPv6
+        icmpv6 type {
-
-        ip6 nexthdr icmpv6 icmpv6 type {
             destination-unreachable,  # type 1
             packet-too-big,  # type 2
             time-exceeded,  # type 3
@@ -144,7 +156,7 @@ table inet filter {
         } limit rate 10/second burst 4 packets accept \
         comment "Accept basic IPv6 functionality"
 
-        ip6 nexthdr icmpv6 icmpv6 type {
+        icmpv6 type {
             nd-router-solicit,  # type 133
             nd-router-advert,  # type 134
             nd-neighbor-solicit,  # type 135
@@ -152,15 +164,15 @@ table inet filter {
         } ip6 hoplimit 255 accept \
         comment "Allow IPv6 SLAAC"
 
-        ip6 nexthdr icmpv6 icmpv6 type {
+        icmpv6 type {
             mld-listener-query,  # type 130
             mld-listener-report,  # type 131
             mld-listener-reduction,  # type 132
             mld2-listener-report,  # type 143
         } ip6 saddr fe80::/10 accept \
         comment "Allow IPv6 multicast listener discovery on link-local"
-
-        ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
-        comment "Accept DHCPv6 replies from IPv6 link-local addresses"
     }
 }
+
+# The state of stateful objects saved on the nftables service stop.
+include "/var/lib/nftables/*.nft"