tmpfiles.d: add config for IPv6 privacy extensions & airsnitch mitigation

etc/tmpfiles.d/networking-security-privacy.conf

@@ -0,0 +1,18 @@
+# Enable IPv6 privacy extensions and prefer them to the EUI-64 address
+# 2 for enabling and preferring, 1 to only enable, 0 to disable
+w /proc/sys/net/ipv6/conf/all/use_tempaddr - - - - 2
+w /proc/sys/net/ipv6/conf/default/use_tempaddr - - - - 2
+w /proc/sys/net/ipv6/conf/eth0/use_tempaddr - - - - 2
+w /proc/sys/net/ipv6/conf/wlan0/use_tempaddr - - - - 2
+w /proc/sys/net/ipv6/conf/enp4s0f1/use_tempaddr - - - - 2
+w /proc/sys/net/ipv6/conf/wlp3s0/use_tempaddr - - - - 2
+
+# AirSnitch mitigation 2026-04-13 https://github.com/vanhoefm/airsnitch/blob/main/README.md#id-defense-filter-bcast
+w /proc/sys/net/ipv4/conf/eth0/drop_unicast_in_l2_multicast - - - - 1
+w /proc/sys/net/ipv6/conf/eth0/drop_unicast_in_l2_multicast - - - - 1
+w /proc/sys/net/ipv4/conf/wlan0/drop_unicast_in_l2_multicast - - - - 1
+w /proc/sys/net/ipv6/conf/wlan0/drop_unicast_in_l2_multicast - - - - 1
+w /proc/sys/net/ipv4/conf/enp4s0f1/drop_unicast_in_l2_multicast - - - - 1
+w /proc/sys/net/ipv6/conf/enp4s0f1/drop_unicast_in_l2_multicast - - - - 1
+w /proc/sys/net/ipv4/conf/wlp3s0/drop_unicast_in_l2_multicast - - - - 1
+w /proc/sys/net/ipv6/conf/wlp3s0/drop_unicast_in_l2_multicast - - - - 1

install

@@ -218,9 +218,9 @@ if [ "$(id -u)" == "0" ]; then
 		cp -v local/share/applications/vivaldi.desktop /usr/local/share/applications/
 	fi
 
-	# Attempt at classic snaps (symlink /snap to /var/lib/snapd/snap)
+	# SECURITY WARNING! Attempt at automatic symlinking and weird kernel configuration etc.
 	mkdir -vp /etc/tmpfiles.d/
-	cp -v etc/tmpfiles.d/snapd-classic.conf /etc/tmpfiles.d/
+	cp -v etc/tmpfiles.d/{snapd-classic,networking-security-privacy}.conf /etc/tmpfiles.d/
 
 	# Additional configuration for sudo SECURITY WARNING DANGER ALARM BELLS!
 	if [ -d /etc/sudoers.d ]; then