Hi,
I've been trying the |netdev| table for ingress filtering, which seems
to be working fine. However, I'm encountering an issue with logging.
Here's the relevant configuration snippet:
table netdev filter {
chain eth2_input {
type filter hook ingress device "eth2" priority filter; policy
accept;
vlan id 99 vlan type ip counter packets 68304372 bytes
28196182850 accept
vlan id 99 vlan type arp counter packets 756970 bytes 35442808
accept
vlan id 99 counter packets 441 bytes 49415 log accept;
As seen, the counters are updating, but logging does not seem to occur
for certain Layer 2 frames - in this case UDLD:
18:00:55.426295 f4:4e:05:ab:cd:ef > 01:00:0c:cc:cc:cc, 802.3, length
115: LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl
0x03: oui Cisco (0x00000c), pid UDLD (0x0111), length 107: UDLDv1, Code
Probe message (1), Flags [RT] (0x01), length 107
From a brief review of the source code, it appears that nftables might
only log frames of certain known types like e.g. ipv4, ipv6 and arp.
Could you confirm if this is the case, or if there's documentation or a
configuration tweak I might have missed that could resolve this logging
issue?
Best regards,
Teodor Milkov