optionally block incoming IPv6 connections except for explicitly allowed IPs #32
Description
It might be prudent to only allow incoming IPv6 connections to IP addresses which are explicitly listed, and default to not allowing incoming connections to other IPs.
In terms of configuration, the feature will be enabled as soon as a non-empty array of allowed IP addresses is defined (blocking all incoming connections can be achieved by allowing an unused IP address).
These are the nftables commands I used for prototyping:
# nft add chain ip6 filter forward '{' type filter hook forward priority 0 \; '}'
# nft add chain ip6 filter block-incoming
# nft add rule ip6 filter forward jump block-incoming
# nft add rule ip6 filter block-incoming oifname "lan0" tcp flags syn ip6 daddr ::1 accept
# nft add rule ip6 filter block-incoming oifname "lan0" tcp flags syn reject