On 11.06.24 г. 21:25 ч., Pablo Neira Ayuso wrote:
On Tue, May 28, 2024 at 03:01:31PM -0000, William N. wrote:
Following the example given here:
https://www.freecodecamp.org/news/how-to-use-scapy-python-networking/
I did sendp(frame) while watching 'journalctl -f'. It showed me:
kernel: DEBUG: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:22:33:44:55:90:00
Unless I am completely mistaken, this L2 frame was sent and logged.
For the record:
... log prefix "test: " flags ether
shows:
test: IN=eth0 OUT= MACSRC=90:dd:b4:12:ea:f0 MACDST=ff:ff:ff:ff:ff:ff MACPROTO=8899
I tried the simple nft ruleset shared by William in a previous message:
table netdev xxx {
chain ingress {
type filter hook ingress device "eth-inet0" priority filter
ether type arp counter accept
ether type ip counter accept
vlan type arp counter accept
vlan type ip counter accept
counter limit rate 1/second log prefix "TEST: " flags ether
}
}
The "arp" and "ip" rules I've added are there to suppress logging of
non-relevant traffic.
Here's what traffic I'm seeing with tcpdump:
09:20:13.204053 0c:c4:7a:xx:yy:zz > ff:ff:ff:ff:ff:ff, ethertype AoE
(0x88a2), length 60: AoE length 46, Ver 1, Flags: [none]
09:20:14.746200 b8:83:03:xx:yy:zz > 01:00:0c:cc:cc:cd, 802.3, length 50:
LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03:
oui Cisco (0x00000c), pid PVST (0x010b), length 42: STP 802.1w, Rapid
STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id
8008.b8:83:03:39:89:00.800c, length 42
09:20:15.161805 b8:83:03:xx:yy:zz > 01:80:c2:00:00:0e, ethertype LLDP
(0x88cc), length 279: LLDP, length 265: rackswitch-1-r6-v8
None of this is logged by nft.
Logging in general works, because if I remove some of the preceding
rules e.g. "vlan type arp counter accept", then I'm seeing this:
Jun 26 09:25:15 coldspare1-us kernel: [2594462.618777] TEST:
IN=eth-inet0 OUT= MACSRC=90:e2:ba:xx:yy:zz MACDST=ff:ff:ff:ff:ff:ff
VPROTO=8100 VID=4 MACPROTO=0806 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1
MACSRC=90:e2:ba:xx:yy:zz IPSRC=aa.bb.197.2 MACDST=ff:ff:ff:ff:ff:ff
IPDST=aa.bb.197.201
Could you confirm if a specific kernel or nft version is required for
this? Also, should certain Ethernet driver features or offloading
settings be disabled to accommodate these logging rules?
My kernel is "5.10.0-29-amd64 #1 SMP Debian 5.10.216-1 (2024-05-03)",
nft v0.9.8 and ixgbe Ethernet driver.