I'm concerned that Centos 8 is using a pre-release version of nftables.
I just did a system update, and found this as current:
/etc/redhat-release: CentOS Linux release 8.1.1911 (Core)
$ nft -v: nftables v0.9.0 (Fearless Fosdick)
I think that, given some of the issues that have been mentioned on this
list, I'm not comfortable with this new pre-release facility. So I'll
wait until it reaches v1.0 or higher, and in the meantime revert to
using IPTABLES and my home-brew shell script, disabling firewalld(8) in
the process.
To ensure BGP-38 compliance upstream, I'll use the routing table
extension that I have developed for NetworkManager, that I posted
earlier, that null-routes all reserved netblocks. (I'm not planning to
incorporate the BOGON enhancement as suggested by others.)
The following will appear in my /etc/sysctl.conf file, which turns on
source filtering and logs martians.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.log_martians = 1
Yes, this means that I'm blocking all ipv6 for now. I will reconsider
as the 1.0 or later release version makes it to the CentOS 8 distribution.
