From 0b0fe28a883456f6f6e0a20657faeb0d13ce7575 Mon Sep 17 00:00:00 2001
From: Fabricio Duarte <fabricio.duarte.jr@gmail.com>
Date: Thu, 5 Jun 2025 14:22:24 -0300
Subject: [PATCH 1/2] IPv6 firewall: accept related packets and packets from
 established connections

---
 systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
index bf7aaf5ddd6e..a5c0b71f96ae 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
@@ -232,6 +232,8 @@ def add_ip6_chain(self, address_family, table, chain, hook, action):
         if hook == "input" or hook == "output":
             CsHelper.execute("nft add rule %s %s %s icmpv6 type { echo-request, echo-reply, \
                 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept" % (address_family, table, chain))
+        if hook == "input" or hook == "forward":
+            CsHelper.execute("nft add rule %s %s %s ct state established,related accept" % (address_family, table, chain))
 
     def add_ip4_chain(self, address_family, table, chain, hook, action):
         chain_policy = ""

From 145f4febb1ca74d709ae66d0ff4f83bda0c7419b Mon Sep 17 00:00:00 2001
From: Fabricio Duarte <fabricio.duarte.jr@gmail.com>
Date: Tue, 8 Jul 2025 14:00:55 -0300
Subject: [PATCH 2/2] Remove rule from input chain

---
 systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
index a5c0b71f96ae..80d64e8f2d92 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
@@ -232,7 +232,7 @@ def add_ip6_chain(self, address_family, table, chain, hook, action):
         if hook == "input" or hook == "output":
             CsHelper.execute("nft add rule %s %s %s icmpv6 type { echo-request, echo-reply, \
                 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept" % (address_family, table, chain))
-        if hook == "input" or hook == "forward":
+        elif hook == "forward":
             CsHelper.execute("nft add rule %s %s %s ct state established,related accept" % (address_family, table, chain))
 
     def add_ip4_chain(self, address_family, table, chain, hook, action):