From 8ea033ed80d5ff10e6acca039af60bb88d7cf55a Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen@aminda.eu>
Date: Fri, 27 Feb 2026 12:50:11 +0200
Subject: [PATCH] sysctl.d: add 60-airsnitch.conf to drop unicast IP packets in
 L2 {broad,multi}cast frames

---
 etc/sysctl.d/60-airsnitch.conf | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 etc/sysctl.d/60-airsnitch.conf

diff --git a/etc/sysctl.d/60-airsnitch.conf b/etc/sysctl.d/60-airsnitch.conf
new file mode 100644
index 00000000..2df0a849
--- /dev/null
+++ b/etc/sysctl.d/60-airsnitch.conf
@@ -0,0 +1,10 @@
+# 2026-02-27 https://github.com/vanhoefm/airsnitch/blob/main/README.md#id-defense-filter-bcast
+# Client operating systems should by default drop unicast IP packets in layer
+# 2 broadcast/multicast frames.
+net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
+net.ipv6.conf.all.drop_unicast_in_l2_multicast = 1
+# "legacy" interface names likely existing on my system
+net.ipv4.conf.eth0.drop_unicast_in_l2_multicast = 1
+net.ipv6.conf.eth0.drop_unicast_in_l2_multicast = 1
+net.ipv4.conf.wlan0.drop_unicast_in_l2_multicast = 1
+net.ipv6.conf.wlan0.drop_unicast_in_l2_multicast = 1