Hi!
We are testing following nftables rules (counters added for debugging purposes):
chain forward {
type filter hook forward priority filter - 1; policy drop;
jump ecpri-ip-filtering
}
chain filtering-logging {
counter packets 0 bytes 0 drop
}
chain ip-filtering {
iifname "rfo*" counter packets 835 bytes 615040
iifname "rfo*" ip daddr 172.21.1.18 accept
iifname "rfo*" counter packets 0 bytes 0
iifname "gre11E" accept
iifname "rfo*" counter packets 0 bytes 0
iifname "lo" accept
iifname "rfo*" counter packets 0 bytes 0
goto filtering-logging
}
We are sending test packets from a neighbouring host to an IP address
that cannot be routed on this host.
# tcpdump -i rfoe4.295
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rfoe4.295, link-type EN10MB (Ethernet), capture size 262144 bytes
09:34:42.657004 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 733
09:34:43.975378 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 325
09:34:44.046110 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 113
09:34:44.187158 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 106
09:34:44.428949 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 347
09:34:44.854991 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 130
09:34:45.284802 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 101
09:34:45.446108 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 733
09:34:46.537990 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269
09:34:46.572270 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269
09:34:46.602943 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269
09:34:46.673617 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 325
09:34:46.754555 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 113
Why are these packets being accepted as daddr matches?
Niko Kortström
