maybe prevent ipv6 leak

2 files changed, 4 insertions, 3 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 2dba5a76..7132abfd 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -58,7 +58,9 @@ table inet my_table {
 
 # https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
 # needed by wireguard?
-table ip nat {
+# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
+# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+table inet nat {
 	chain prerouting {
 		type nat hook prerouting priority 0; policy accept;
 	}
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
index 00f01949..b9677c02 100644
--- a/etc/sysctl.d/99-sysctl.conf
+++ b/etc/sysctl.d/99-sysctl.conf
@@ -4,5 +4,4 @@
 # https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding
 # https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522
 net.ipv4.ip_forward = 1
-# ka no ipv6. Test shows if enable this, it will expose my workstation's ipv6. If it has ipv6, maybe also need `table ip6 nat` in nftables.conf to hide workstation's ipv6?
-#net.ipv6.conf.all.forwarding = 1
+net.ipv6.conf.all.forwarding = 1