From a33b0ac51374a59821452acb0c2354ad366409fb Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Mon, 19 Sep 2022 16:15:10 +0200
Subject: [PATCH] add some missing IPv6 options

---
 defaults/main.yml                      | 3 +++
 templates/etc/sysctl.d/local.conf.j2   | 8 ++++++++
 templates/etc/systemd/coredump.conf.j2 | 7 +++++++
 3 files changed, 18 insertions(+)
 create mode 100644 templates/etc/systemd/coredump.conf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index d2507a0..f339cd2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -7,6 +7,9 @@ kernel_disable_modules:
   - tipc
   - rds
   - bluetooth
+  - cramfs
+  - squashfs
+  - udf
 
 kernel_blacklist_modules: []
 
diff --git a/templates/etc/sysctl.d/local.conf.j2 b/templates/etc/sysctl.d/local.conf.j2
index 99bb6b1..27fa21a 100644
--- a/templates/etc/sysctl.d/local.conf.j2
+++ b/templates/etc/sysctl.d/local.conf.j2
@@ -47,6 +47,7 @@ net.ipv4.tcp_syncookies = 1
 
 # Turn on and log spoofed, source routed, and redirect packets
 net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.accept_source_route = 0
 
 # No source routed packets here
 net.ipv4.conf.all.accept_source_route = 0
@@ -80,6 +81,10 @@ net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 {% else %}
 
+# Disable router advertisements
+net.ipv6.conf.default.accept_ra = 0
+net.ipv6.conf.all.accept_ra = 0
+
 # Disable ICMP routing redirects
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
@@ -87,6 +92,9 @@ net.ipv6.conf.default.accept_redirects = 0
 # Disable forwarding of IPv6 source-routed packets
 net.ipv6.conf.all.accept_source_route = 0
 net.ipv6.conf.default.accept_source_route = 0
+
+# Disable forwarding of IPv6
+net.ipv6.conf.all.forwarding = 0
 {% endif %}
 {% if kernel_namespace_support_enabled | bool %}
 
diff --git a/templates/etc/systemd/coredump.conf.j2 b/templates/etc/systemd/coredump.conf.j2
new file mode 100644
index 0000000..77a1913
--- /dev/null
+++ b/templates/etc/systemd/coredump.conf.j2
@@ -0,0 +1,7 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+[Coredump]
+{% if not kernel_coredump_enabled | bool %}
+Storage=none
+ProcessSizeMax=0
+{% endif %}