Hi Sorry on we're making some changes and changing the names, on target ip-filtering has been changed to ecpri-ip-filtering. We're wondering how do the packets filtered not increase counters past the accept rule if they are not accepted by it. # ip netns exec radions sysctl -a | grep '\.rp_filter'. net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.rfoe4.rp_filter = 0 net.ipv4.conf.rfoe4/295.rp_filter = 0 No martians seem to be logged by the kernel. Niko Kortström On Wed, Sep 1, 2021 at 2:24 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote: > > On Wed, 1 Sep 2021 13:54:51 +0300 > Niko Kortström <niko.kortstrom@xxxxxxxxx> wrote: > > > Hi > > > > Sorry on we're making some changes and changing the names, on target > > ip-filtering has been changed to ecpri-ip-filtering. How do the packets > > filtered not increase counters past the accept rule if they are not > > accepted by it? > > One possibility is that the packet is being considered as a martian as a consequence of reverse path filtering (RFC 3704). In that case, the packet would not be processed by Netfilter at all. You can check the status of the filter(s) by running sysctl -a | grep '\.rp_filter'. > > -- > Kerin Millar
