SUNET · mikaelfrykholm · Jul 22, 2025 · Jul 22, 2025
diff --git a/files/nftables/999-log.nft b/files/nftables/999-log.nft
@@ -1,12 +1,4 @@
 #
-# Silently drop broad broadcast and multicast traffic. We'd get a lot of IPv6 router solicitations and other things of little
-# interest in the logs generated below otherwise.
-#
-add rule inet filter input   pkttype broadcast counter drop comment "Silently drop broadcast"
-add rule inet filter input   pkttype multicast counter drop comment "Silently drop multicast"
-add rule inet filter forward pkttype broadcast counter drop comment "Silently drop broadcast"
-add rule inet filter forward pkttype multicast counter drop comment "Silently drop multicast"
-#
 # Log packets being dropped, with rate limiting to avoid the logging itself becoming a problem (attack vector).
 #
 add rule inet filter input   counter limit rate 5/second log flags all prefix "input_drop: " counter drop comment "Default deny (and log) packets to this host"

diff --git a/files/nftables/nftables.conf b/files/nftables/nftables.conf
@@ -21,6 +21,9 @@ table inet filter {
 		ct state established counter accept
 		# silently drop invalid packets
 		ct state invalid counter drop
+
+		#Allow DHCPv6
+		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
 	}
 	chain forward {
 		type filter hook forward priority 0; policy drop;