Hi!
Thanks a lot! With this nft tracing we can see that the packets are
visible in prerouting but not in the forwarding chain, so they are
dropped in routing before reaching it. So we can either move filtering
to prerouting to count non-routable packets as well or just let them
silently fall off.
Niko Kortström
On Wed, Sep 1, 2021 at 6:13 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
>
> On Wed, 1 Sep 2021 16:59:44 +0300
> Niko Kortström <niko.kortstrom@xxxxxxxxx> wrote:
>
> > Hi
> >
> > Sorry on we're making some changes and changing the names, on target
> > ip-filtering has been changed to ecpri-ip-filtering. We're wondering how do
> > the packets filtered not increase counters past the accept rule if they are
> > not accepted by it.
> >
> > # ip netns exec radions sysctl -a | grep '\.rp_filter'.
> > net.ipv4.conf.all.rp_filter = 2
> > net.ipv4.conf.default.rp_filter = 0
> > net.ipv4.conf.rfoe4.rp_filter = 0
> > net.ipv4.conf.rfoe4/295.rp_filter = 0
> >
> > No martians seem to be logged by the kernel.
>
> For them to be logged requires that net.ipv4.conf.*.log_martians be set to a value of 1, where * is either "all" or the link name in question.
>
> Also, you could try adding something like this:-
>
> chain prerouting {
> type filter hook prerouting priority raw; policy accept;
> ip daddr 10.0.0.0/8 meta nftrace set 1
> }
>
> In the case that the packet is being processed by Netfilter, you may then determine how it traverses your ruleset by executing "nft monitor trace".
>
> --
> Kerin Millar
