From: "Niko Kortström" <niko.kortstrom@gmail.com>
To: Kerin Millar <kfm@plushkava.net>
Cc: netfilter@vger.kernel.org
Subject: Re: Fwd: IP daddr filtering not working for non-routable address
Date: Wed, 1 Sep 2021 19:31:05 +0300 [thread overview]
Message-ID: <CADjU3L=iHW9-WB-J3rd-H2CYkU8abfNCAF0vrPHYszXdrQZatw@mail.gmail.com> (raw)
In-Reply-To: <20210901161307.fe9c7ca2ada8635ec0f7e301@plushkava.net>
Hi!
Thanks a lot! With this nft tracing we can see that the packets are
visible in prerouting but not in the forwarding chain, so they are
dropped in routing before reaching it. So we can either move filtering
to prerouting to count non-routable packets as well or just let them
silently fall off.
Niko Kortström
On Wed, Sep 1, 2021 at 6:13 PM Kerin Millar <kfm@plushkava.net> wrote:
>
> On Wed, 1 Sep 2021 16:59:44 +0300
> Niko Kortström <niko.kortstrom@gmail.com> wrote:
>
> > Hi
> >
> > Sorry on we're making some changes and changing the names, on target
> > ip-filtering has been changed to ecpri-ip-filtering. We're wondering how do
> > the packets filtered not increase counters past the accept rule if they are
> > not accepted by it.
> >
> > # ip netns exec radions sysctl -a | grep '\.rp_filter'.
> > net.ipv4.conf.all.rp_filter = 2
> > net.ipv4.conf.default.rp_filter = 0
> > net.ipv4.conf.rfoe4.rp_filter = 0
> > net.ipv4.conf.rfoe4/295.rp_filter = 0
> >
> > No martians seem to be logged by the kernel.
>
> For them to be logged requires that net.ipv4.conf.*.log_martians be set to a value of 1, where * is either "all" or the link name in question.
>
> Also, you could try adding something like this:-
>
> chain prerouting {
> type filter hook prerouting priority raw; policy accept;
> ip daddr 10.0.0.0/8 meta nftrace set 1
> }
>
> In the case that the packet is being processed by Netfilter, you may then determine how it traverses your ruleset by executing "nft monitor trace".
>
> --
> Kerin Millar
prev parent reply other threads:[~2021-09-01 16:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CADjU3LmddfsRShNVx-hArmivM=iUGvEFg28Gd90qyg7VRGqvbw@mail.gmail.com>
2021-09-01 7:40 ` Fwd: IP daddr filtering not working for non-routable address Niko Kortström
2021-09-01 10:06 ` Kerin Millar
[not found] ` <CADjU3LnN_uLqZ1LKJcjBCotv+OVJiL7v8xdsdt89_nxHOqHJjw@mail.gmail.com>
2021-09-01 11:24 ` Kerin Millar
2021-09-01 14:59 ` Niko Kortström
[not found] ` <CADjU3L=Q=rxK6Oy37SbN=ANXN6ig+rKdkZ_6iU+3j3AYkrY4sQ@mail.gmail.com>
2021-09-01 15:13 ` Kerin Millar
2021-09-01 16:31 ` Niko Kortström [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADjU3L=iHW9-WB-J3rd-H2CYkU8abfNCAF0vrPHYszXdrQZatw@mail.gmail.com' \
--to=niko.kortstrom@gmail.com \
--cc=kfm@plushkava.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.