From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: Waiting until first release of NFTABLES
Date: Mon, 24 Feb 2020 11:58:38 +1100 [thread overview]
Message-ID: <875zfwssw1.fsf@goll.lan> (raw)
In-Reply-To: c4e081c5-3bb9-827e-a382-388fe4d859de@satchell.net
Stephen Satchell <list@satchell.net> writes:
> I'm concerned that Centos 8 is using a pre-release version of
> nftables. I just did a system update, and found this as current:
>
> /etc/redhat-release: CentOS Linux release 8.1.1911 (Core)
> $ nft -v: nftables v0.9.0 (Fearless Fosdick)
You might want to look for other installed packages < 1.0.0:
rpm -qa --qf '%{name} %{version}-%{release}\n' |
sort --sort=version --key=2
It's... not uncommon. :-)
On my laptop, fully 20% of packages are below version 1.
> To ensure BGP-38 compliance upstream, I'll use the routing table
> extension that I have developed for NetworkManager, that I posted
> earlier, that null-routes all reserved netblocks. (I'm not planning
> to incorporate the BOGON enhancement as suggested by others.)
I think you mean BCP-38:
https://tools.ietf.org/html/bcp38
> The following will appear in my /etc/sysctl.conf file, which turns on
> source filtering and logs martians.
>
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.all.log_martians = 1
>
> net.ipv6.conf.default.disable_ipv6 = 1
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.default.log_martians = 1
>
> Yes, this means that I'm blocking all ipv6 for now. I will reconsider
> as the 1.0 or later release version makes it to the CentOS 8
> distribution.
CentOS runs systemd, so rp_filter=1 (or =2 since v240) should be on by default:
https://github.com/systemd/systemd/blob/master/sysctl.d/50-default.conf
next prev parent reply other threads:[~2020-02-24 0:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-19 23:41 Waiting until first release of NFTABLES Stephen Satchell
2020-02-24 0:58 ` Trent W. Buck [this message]
2020-02-24 5:02 ` Stephen Satchell
2020-02-24 9:25 ` Reindl Harald
2020-02-24 16:24 ` Stephen Satchell
2020-02-25 1:12 ` Trent W. Buck
2020-02-25 1:18 ` Stephen Satchell
2020-02-25 3:30 ` Trent W. Buck
2020-03-13 22:05 ` Stephen Satchell
2020-03-14 1:01 ` Reindl Harald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875zfwssw1.fsf@goll.lan \
--to=trentbuck@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.