burnbabyburn
commented
1 year ago Nothing dodgy here. Maybe just don't use ENABLE_HARDNET=true if you want ipv6 capability? The option does exactly what you proposed.
One could argue, that it the ipv6 hardening settings should be moved to theENABLE_IPV6 option, but we're grave digging a project with the last commit in 2020 here.
https://raw.githubusercontent.com/drtyhlpr/rpi23-gen-image/master/files/sysctl.d/82-rpi-net-hardening.conf
This is super dodgy. It basically turns off consuming IPv6 router advertisements and limits the maximum number of IPv6 addresses to 1, which will generally just be the link-local address.
With more and more ISPs offering native IPv6 and the prospect of carrier-grade NAT being used very widely, it's valuable to have IPv6 prefixes delegated to Raspberry Pis.
I recommend nuking that set of sysctls from orbit. They should not be here by default.