On Wed, 1 Sep 2021 16:59:44 +0300
Niko Kortström <niko.kortstrom@xxxxxxxxx> wrote:
> Hi
>
> Sorry on we're making some changes and changing the names, on target
> ip-filtering has been changed to ecpri-ip-filtering. We're wondering how do
> the packets filtered not increase counters past the accept rule if they are
> not accepted by it.
>
> # ip netns exec radions sysctl -a | grep '\.rp_filter'.
> net.ipv4.conf.all.rp_filter = 2
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.rfoe4.rp_filter = 0
> net.ipv4.conf.rfoe4/295.rp_filter = 0
>
> No martians seem to be logged by the kernel.
For them to be logged requires that net.ipv4.conf.*.log_martians be set to a value of 1, where * is either "all" or the link name in question.
Also, you could try adding something like this:-
chain prerouting {
type filter hook prerouting priority raw; policy accept;
ip daddr 10.0.0.0/8 meta nftrace set 1
}
In the case that the packet is being processed by Netfilter, you may then determine how it traverses your ruleset by executing "nft monitor trace".
--
Kerin Millar
