Hi Dominique
> table inet test {
> chain raw_PREROUTING {
> type filter hook prerouting priority raw; policy accept;
> meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
> }
> }
>
> or
>
> ip6tables -t raw -A PREROUTING -m rpfilter --invert -j LOG --log-prefix "rpfilter_DROP: "
> ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
This does not consider the fwmark for the reverse-routing lookup.
Using the --validmark option for the rpfilter match should get you the correct result.
And for nft the already suggested: meta nfproto ipv6 fib saddr . iif . mark oif missing log prefix "rpfilter_DROP: " drop
> For completeness, the two nft commands there contain the following
> tables:
> table ip6 wg-quick-wg0 {
> chain preraw {
> type filter hook prerouting priority raw; policy accept;
> iifname != "wg0" ip6 daddr fe80::2 fib saddr type != local drop
> }
>
> chain premangle {
> type filter hook prerouting priority mangle; policy accept;
> meta l4proto udp meta mark set ct mark
> }
>
> chain postmangle {
> type filter hook postrouting priority mangle; policy accept;
> meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
> }
> }
I suspect the main problem is the rpfilter check happening in the raw table, but the fwmark only being written in the mangle table.
Thus the rpfilter lookup happens without the correct fwmark and fails to return the correct result.
I would move the rpfilter check into the mangle table and place it after the fwmark is written.
eg. something like:
table ip6 wg-quick-wg0 {
chain preraw {
type filter hook prerouting priority raw; policy accept;
iifname != "wg0" ip6 daddr fe80::2 fib saddr type != local drop
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
meta fib saddr . iif . mark oif missing log prefix "rpfilter_DROP: " drop
}
chain postmangle {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
}
}
Cheers
Andreas
