* [nftables 0.9.2] NETDEV packet drop vs. packet capture visibility
@ 2020-03-19 16:11 ѽ҉ᶬḳ℠
2020-03-19 19:43 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-03-19 16:11 UTC (permalink / raw)
To: netfilter
With
table netdev filter {
chain input {
type filter hook ingress device "eth2" priority filter;
policy accept;
ether type arp drop
ether type vlan drop
ether type 0x9000 drop
}
}
in place those package types are visible (showing) during a packet
capture (wirehshark ssh remote) on that interface. Is this to be
expected as the packet is being captured prior being dropped by NFT or
does indicate that the packages are not being dropped?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [nftables 0.9.2] NETDEV packet drop vs. packet capture visibility
2020-03-19 16:11 [nftables 0.9.2] NETDEV packet drop vs. packet capture visibility ѽ҉ᶬḳ℠
@ 2020-03-19 19:43 ` Pablo Neira Ayuso
2020-03-19 21:55 ` ѽ҉ᶬḳ℠
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-19 19:43 UTC (permalink / raw)
To: ѽ҉ᶬḳ℠; +Cc: netfilter
On Thu, Mar 19, 2020 at 04:11:01PM +0000, ѽ҉ᶬḳ℠ wrote:
> With
>
> table netdev filter {
> chain input {
> type filter hook ingress device "eth2" priority filter;
> policy accept;
> ether type arp drop
> ether type vlan drop
> ether type 0x9000 drop
> }
> }
>
> in place those package types are visible (showing) during a packet capture
> (wirehshark ssh remote) on that interface. Is this to be expected as the
> packet is being captured prior being dropped by NFT or does indicate that
> the packages are not being dropped?
The ingress packet filtering happens right after the "taps", ie.
packet capture, e.g. wireshark.
The packet is captured before nft ingress drops them.
This is where the nf_ingress() hook is invoked:
https://elixir.bootlin.com/linux/v5.6-rc6/source/net/core/dev.c#L5056
Just a few lines before, you can see the routines for the packet
captures ("taps"):
https://elixir.bootlin.com/linux/v5.6-rc6/source/net/core/dev.c#L5043
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [nftables 0.9.2] NETDEV packet drop vs. packet capture visibility
2020-03-19 19:43 ` Pablo Neira Ayuso
@ 2020-03-19 21:55 ` ѽ҉ᶬḳ℠
0 siblings, 0 replies; 3+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-03-19 21:55 UTC (permalink / raw)
To: netfilter
On 19/03/2020 19:43, Pablo Neira Ayuso wrote:
> On Thu, Mar 19, 2020 at 04:11:01PM +0000, ѽ҉ᶬḳ℠ wrote:
>> With
>>
>> table netdev filter {
>> chain input {
>> type filter hook ingress device "eth2" priority filter;
>> policy accept;
>> ether type arp drop
>> ether type vlan drop
>> ether type 0x9000 drop
>> }
>> }
>>
>> in place those package types are visible (showing) during a packet capture
>> (wirehshark ssh remote) on that interface. Is this to be expected as the
>> packet is being captured prior being dropped by NFT or does indicate that
>> the packages are not being dropped?
> The ingress packet filtering happens right after the "taps", ie.
> packet capture, e.g. wireshark.
>
> The packet is captured before nft ingress drops them.
>
> This is where the nf_ingress() hook is invoked:
>
> https://elixir.bootlin.com/linux/v5.6-rc6/source/net/core/dev.c#L5056
>
> Just a few lines before, you can see the routines for the packet
> captures ("taps"):
>
> https://elixir.bootlin.com/linux/v5.6-rc6/source/net/core/dev.c#L5043
Thank you for the explanation/pointer.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-19 21:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-19 16:11 [nftables 0.9.2] NETDEV packet drop vs. packet capture visibility ѽ҉ᶬḳ℠
2020-03-19 19:43 ` Pablo Neira Ayuso
2020-03-19 21:55 ` ѽ҉ᶬḳ℠
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.