Re: nft not logging some layer 2 frames?

Teodor Milkov <tm@xxxxxx> · Wed, 26 Jun 2024 16:36:07 +0300

On 11.06.24 г. 21:25 ч., Pablo Neira Ayuso wrote:
On Tue, May 28, 2024 at 03:01:31PM -0000, William N. wrote:
Following the example given here:

https://www.freecodecamp.org/news/how-to-use-scapy-python-networking/

I did sendp(frame) while watching 'journalctl -f'. It showed me:

kernel: DEBUG: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:22:33:44:55:90:00

Unless I am completely mistaken, this L2 frame was sent and logged.
For the record:

         ... log prefix "test: " flags ether

shows:

         test: IN=eth0 OUT= MACSRC=90:dd:b4:12:ea:f0 MACDST=ff:ff:ff:ff:ff:ff MACPROTO=8899

I tried the simple nft ruleset shared by William in a previous message:

table netdev xxx {
        chain ingress {
                type filter hook ingress device "eth-inet0" priority filter

                ether type arp counter accept
                ether type ip counter accept
                vlan type arp counter accept
                vlan type ip counter accept

                counter limit rate 1/second log prefix "TEST: " flags ether
        }
}

The "arp" and "ip" rules I've added are there to suppress logging of 
non-relevant traffic.

Here's what traffic I'm seeing with tcpdump:

09:20:13.204053 0c:c4:7a:xx:yy:zz > ff:ff:ff:ff:ff:ff, ethertype AoE 
(0x88a2), length 60: AoE length 46, Ver 1, Flags: [none]

09:20:14.746200 b8:83:03:xx:yy:zz > 01:00:0c:cc:cc:cd, 802.3, length 50: 
LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: 
oui Cisco (0x00000c), pid PVST (0x010b), length 42: STP 802.1w, Rapid 
STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 
8008.b8:83:03:39:89:00.800c, length 42

09:20:15.161805 b8:83:03:xx:yy:zz > 01:80:c2:00:00:0e, ethertype LLDP 
(0x88cc), length 279: LLDP, length 265: rackswitch-1-r6-v8

None of this is logged by nft.

Logging in general works, because if I remove some of the preceding 
rules e.g. "vlan type arp counter accept", then I'm seeing this:

Jun 26 09:25:15 coldspare1-us kernel: [2594462.618777] TEST: 
IN=eth-inet0 OUT= MACSRC=90:e2:ba:xx:yy:zz MACDST=ff:ff:ff:ff:ff:ff 
VPROTO=8100 VID=4 MACPROTO=0806 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 
MACSRC=90:e2:ba:xx:yy:zz IPSRC=aa.bb.197.2 MACDST=ff:ff:ff:ff:ff:ff 
IPDST=aa.bb.197.201

Could you confirm if a specific kernel or nft version is required for 
this? Also, should certain Ethernet driver features or offloading 
settings be disabled to accommodate these logging rules?

My kernel is "5.10.0-29-amd64 #1 SMP Debian 5.10.216-1 (2024-05-03)", 
nft v0.9.8 and ixgbe Ethernet driver.