Having this very simple setup icmp is not getting through at the target
machine. Flushing the nft ruleset the icmp traffic is getting through.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
icmp type { 0, 3, 11, 12, 14, 16, 18 } accept
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
A trace does not seem reveal /show the |accept| verdict but neither any
|drop|.
trace id 3409361b inet filter input packet: iif "ens3" ether saddr
00:23:dc:01:18:96 ether daddr 00:16:3e:22:4e:9d ip saddr 149.x.x.x ip
daddr 179.x.x.x ip dscp cs0 ip ecn not-ect ip ttl 55 ip id 57831 ip
length 84 icmp type echo-request icmp code 0 icmp id 47 icmp sequence 1
trace id 3409361b inet filter input rule nftrace set 1 (verdict continue)
trace id 3409361b inet filter input verdict continue
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
