> That makes no sense. Packets sent via lo never leave the host.
> And netdev supports ingress (incoming) only.
> netdev ingress is tied to an interface.
>
> This only filters packets coming in on eth0.
> There is no impact on lo, or any other interface -- such packets do not
> even enter the 'in_public' chain.
>
> Again, this statement makes no sense to me.
>
> I suspect you were dropping incoming arp packets, making l2 address
> resolution fail and breaking ip connectivity.
Yup, my bad about lo, it was indeed meant to be nic/eth. With this
script I got no outbound traffic from the nic
table ip nat {
chain postrouting {
oifname "ens3" masquerade # handle 2
}
}
table netdev filter {
chain nic {
type filter hook ingress device ens3 priority 0; policy
drop;
tcp dport 56009 accept # handle 2
nftrace set 1 # handle 3
}
}
the trace reads
trace id ce332c96 netdev filter nic packet: iif "ens3" ether saddr
00:23:dc:01:18:96 ether daddr 00:16:3e:22:4e:9d ip saddr 8.8.8.8 ip
daddr 179.x.x.x ip dscp cs0 ip ecn not-ect ip ttl 59 ip id 60333 ip
length 84 icmp type echo-reply icmp code 0 icmp id 6911 icmp sequence 5
trace id ce332c96 netdev filter nic rule nftrace set 1 (verdict continue)
trace id ce332c96 netdev filter nic verdict continue
trace id ce332c96 netdev filter nic
> You can drop any packet you like and apply any type of filtering
> on packet content you want, including rate limiting for instance.
That all makes sense if it would not stop outbound traffic as stated above.
��.n��������+%�������w��{.n����z���)���jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
