Re: Fwd: IP daddr filtering not working for non-routable address

Kerin Millar <kfm@xxxxxxxxxxxxx> · Wed, 1 Sep 2021 11:06:59 +0100

On Wed, 1 Sep 2021 10:40:06 +0300
Niko Kortström <niko.kortstrom@xxxxxxxxx> wrote:

> Hi!

Hello.

> 
> We are testing following nftables rules (counters added for debugging purposes):
> 
> chain forward {
>     type filter hook forward priority filter - 1; policy drop;
>     jump ecpri-ip-filtering
> }
> chain filtering-logging {
>     counter packets 0 bytes 0 drop
> }
> chain ip-filtering {
>     iifname "rfo*" counter packets 835 bytes 615040
>     iifname "rfo*" ip daddr 172.21.1.18 accept
>     iifname "rfo*" counter packets 0 bytes 0
>     iifname "gre11E" accept
>     iifname "rfo*" counter packets 0 bytes 0
>     iifname "lo" accept
>     iifname "rfo*" counter packets 0 bytes 0
>     goto filtering-logging
> }
> 
> We are sending test packets from a neighbouring host to an IP address
> that cannot be routed on this host.
> # tcpdump -i rfoe4.295
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on rfoe4.295, link-type EN10MB (Ethernet), capture size 262144 bytes
> 09:34:42.657004 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 733
> 09:34:43.975378 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 325
> 09:34:44.046110 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 113
> 09:34:44.187158 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 106
> 09:34:44.428949 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 347
> 09:34:44.854991 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 130
> 09:34:45.284802 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 101
> 09:34:45.446108 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 733
> 09:34:46.537990 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269
> 09:34:46.572270 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269
> 09:34:46.602943 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 269
> 09:34:46.673617 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 325
> 09:34:46.754555 IP 172.22.48.18.54178 > 10.0.0.1.51000: UDP, length 113
> 
> Why are these packets being accepted as daddr matches?

You haven't shown any evidence that these packets are being accepted, whether it be by way of a daddr match or not. Further, the "ecpri-ip-filtering" and "filtering-logging" chains are missing from your ruleset excerpt, making it impossible for a third-party to determine how the mentioned packets are being handled.

-- 
Kerin Millar