On Wed, 1 Sep 2021 10:40:06 +0300 Niko Kortström <niko.kortstrom@xxxxxxxxx> wrote: > Hi! Hello. > > We are testing following nftables rules (counters added for debugging purposes): > > chain forward { > type filter hook forward priority filter - 1; policy drop; > jump ecpri-ip-filtering > } > chain filtering-logging { > counter packets 0 bytes 0 drop > } > chain ip-filtering { > iifname "rfo*" counter packets 835 bytes 615040 > iifname "rfo*" ip daddr 172.21.1.18 accept > iifname "rfo*" counter packets 0 bytes 0 > iifname "gre11E" accept > iifname "rfo*" counter packets 0 bytes 0 > iifname "lo" accept > iifname "rfo*" counter packets 0 bytes 0 > goto filtering-logging > } > > We are sending test packets from a neighbouring host to an IP address > that cannot be routed on this host. > # tcpdump -i rfoe4.295 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on rfoe4.295, link-type EN10MB (Ethernet), capture size 262144 bytes > 09:34:42.657004 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 733 > 09:34:43.975378 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 325 > 09:34:44.046110 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 113 > 09:34:44.187158 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 106 > 09:34:44.428949 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 347 > 09:34:44.854991 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 130 > 09:34:45.284802 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 101 > 09:34:45.446108 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 733 > 09:34:46.537990 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269 > 09:34:46.572270 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269 > 09:34:46.602943 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269 > 09:34:46.673617 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 325 > 09:34:46.754555 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 113 > > Why are these packets being accepted as daddr matches? You haven't shown any evidence that these packets are being accepted, whether it be by way of a daddr match or not. Further, the "ecpri-ip-filtering" and "filtering-logging" chains are missing from your ruleset excerpt, making it impossible for a third-party to determine how the mentioned packets are being handled. -- Kerin Millar