On 2017-09-28 20:29:38 -0300 (-0300), Jorge Luiz Correa wrote: > It would be good if developers could know about that because > privacy extension is becoming the default on every operate > systems. I've tested last version of *ubuntu and some FreeBSD > kernels, all operating with privacy extension by default. > > So, this way of creating the iptables rules need to be reviewed. [...]
To accommodate privacy extensions, we'd basically have to give up on any assumptions as to what the viable source addresses originating on a port could be (at least within the netmask). This filtering is the primary mechanism for preventing address spoofing within a shared network. By comparison, RFC 4941 privacy extensions are primarily a protection for desktop/mobile client systems and do little (if anything) useful for a statically-addressed server. Disabling it there makes a lot of sense to me, as a privacy/security-conscious sysadmin. -- Jeremy Stanley
signature.asc
Description: Digital signature
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
