Nftables matches IGMP packets as non-IP traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

I hit an interesting behaviour of nftables filter.

The rule:
ether type != { ip,ip6,arp } log drop;

is matching IGMP messages. Why?

Oct 7 20:58:34 srv01 kernel: [21461564.156507] IN=ens256 OUT= MAC= SRC=192.168.1.10 DST=224.1.5.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

chain type filter hook prerouting priority -450, interface ens256 is outgoing interface for that machine (the IGMP message is generated locally, it’s membership report).

Is it a bug or am I missing something?



Thanks,
Blazej
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux