Thanks for explain Jeremy! Very clear. I think systems with cloud-init enabled, like most images, can be easily configured to disable this feature.
Thank you! :) > On 28 Sep 2017, at 21:37, Jeremy Stanley <fu...@yuggoth.org> wrote: > > On 2017-09-28 20:29:38 -0300 (-0300), Jorge Luiz Correa wrote: >> It would be good if developers could know about that because >> privacy extension is becoming the default on every operate >> systems. I've tested last version of *ubuntu and some FreeBSD >> kernels, all operating with privacy extension by default. >> >> So, this way of creating the iptables rules need to be reviewed. > [...] > > To accommodate privacy extensions, we'd basically have to give up on > any assumptions as to what the viable source addresses originating > on a port could be (at least within the netmask). This filtering is > the primary mechanism for preventing address spoofing within a > shared network. > > By comparison, RFC 4941 privacy extensions are primarily a > protection for desktop/mobile client systems and do little (if > anything) useful for a statically-addressed server. Disabling it > there makes a lot of sense to me, as a privacy/security-conscious > sysadmin. > -- > Jeremy Stanley > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
