ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
>
> > That makes no sense. Packets sent via lo never leave the host.
> > And netdev supports ingress (incoming) only.
> > netdev ingress is tied to an interface.
> >
> > This only filters packets coming in on eth0.
> > There is no impact on lo, or any other interface -- such packets do not
> > even enter the 'in_public' chain.
> >
> > Again, this statement makes no sense to me.
> >
> > I suspect you were dropping incoming arp packets, making l2 address
> > resolution fail and breaking ip connectivity.
> Yup, my bad about lo, it was indeed meant to be nic/eth. With this
> script I got no outbound traffic from the nic
>
> table ip nat {
> chain postrouting {
> oifname "ens3" masquerade # handle 2
> }
> }
> table netdev filter {
> chain nic {
> type filter hook ingress device ens3 priority 0; policy
> drop;
> tcp dport 56009 accept # handle 2
> nftrace set 1 # handle 3
> }
> }
>
>
> the trace reads
>
> trace id ce332c96 netdev filter nic packet: iif "ens3" ether saddr
> 00:23:dc:01:18:96 ether daddr 00:16:3e:22:4e:9d ip saddr 8.8.8.8 ip
> daddr 179.x.x.x ip dscp cs0 ip ecn not-ect ip ttl 59 ip id 60333 ip
> length 84 icmp type echo-reply icmp code 0 icmp id 6911 icmp sequence 5
> trace id ce332c96 netdev filter nic rule nftrace set 1 (verdict continue)
> trace id ce332c96 netdev filter nic verdict continue
> trace id ce332c96 netdev filter nic
>
> > You can drop any packet you like and apply any type of filtering
> > on packet content you want, including rate limiting for instance.
>
> That all makes sense if it would not stop outbound traffic as stated above.
It doesn't. The trace shows dropped, incoming (iif ens3) icmp reply.
Outbound packet passes fine. You're dropping the replies.
You will need to accept arp for ipv4 and icmpv6 packets that handle
neigh discovery at the very least.
If you want ping to work, accept icmp echo-reply packets.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
