On 09/02/2020 12:51, ѽ҉ᶬḳ℠ wrote:
Presumably NFT rule
* filter prerouting fib saddr . iif oif missing drop
and kernel parameter
net.ipv4.conf.<interface>.rp_filter = 2
achieving the same goal.
Which one comes into effect first, if there is difference assuming
that both are being processed through netfilter?
Is one or the other more economic with regard to CPU cycles and/or
responsiveness?
Been also wondering about potential conflicts between kernel parameters
vs. firewall rules, which takes precedence?
Another example - here purposely creating a conflict:
* net.ipv6.conf.<interface>.accept_redirects = 0
vs.
* ip6 saddr fe80::/10 ip6 hoplimit 255 daddr FF02::1 icmpv6 type 137 accept;
