https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701200
This is a serious issue, many providers these days assign a globally routable ipv6 address to all systems. Our users could be running on systems they think are protected yet have every port exposed on ipv6 transport.
IMO this should be backported via a security release into current stable. It's an extremely low-risk fix and would immediately provide additional security to users using the default ruleset.
--Adam