Dear experts, this is a cross posting, see https://unix.stackexchange.com/questions/789174/netfilter-not-dropping-packets-as-it-should. Since I didn't get an answer there for a couple of weeks, I am repeating the question here in the hope that the problem can easily be reproduced. For me this is a very important key point in understanding netfilter / nftables. Please consider the ruleset that's at the end of this post. It doesn't make any sense, but it lets everybody reproduce the problem easily. With this ruleset, all IPv4 packets that come in via enp0s3 are accepted in the ingress hook, but finally traverse a chain with a drop policy. Each of these chains does not contain any explicit rule besides the drop policy, and thus should behave as it would (only) contain an explicit drop verdict for all packets. Hence, applications on that machine should not see any IPv4 packets that originate from other machines. But they definitely do. For example, I have an SSH daemon running on that machine. The daemon listens on an IPv4 address only (in fact, I have disabled IPv6 on that machine completely by adding ipv6.disable=1 to the kernel command line). Even after I have loaded the ruleset below, I can connect to the SSH daemon via IPv4 from the outside without any issue. Can somebody please explain why the rules below don't make the kernel drop all incoming IPv4 packets? Did I misunderstand the purpose of the drop policy? Thank you very much in advance, and best regards, Binarus table netdev t_NETDEV_enp0s3 { chain enp0s3-ingress-filter { type filter hook ingress device "enp0s3" priority filter; policy drop; ether type 0x0806 arp ptype 0x0800 accept ether type 0x0800 accept log prefix "foo: " drop } } table ip t_IP { chain prerouting-nat { type nat hook prerouting priority dstnat; policy drop; log prefix "ip4-prerouting-nat:" drop; } chain prerouting-filter { type filter hook prerouting priority filter; policy drop; log prefix "ip4-prerouting-filter:" drop; } chain input-nat { type nat hook input priority dstnat; policy drop; log prefix "ip4-input-nat:" drop; } chain input-filter { type filter hook input priority filter; policy drop; log prefix "ip4-input-filter:" drop; } chain forward-filter { type filter hook forward priority filter; policy drop; log prefix "ip4-forward-filter:" drop; } chain output-nat { type nat hook output priority srcnat; policy drop; log prefix "ip4-output-nat:" drop; } chain output-filter { type filter hook output priority filter; policy drop; log prefix "ip4-output-filter:" drop; } chain output-route { type route hook output priority mangle; policy drop; log prefix "ip4-output-route:" drop; } chain postrouting-nat { type nat hook postrouting priority srcnat; policy drop; log prefix "ip4-postrouting-nat:" drop; } chain postrouting-filter { type filter hook postrouting priority filter; policy drop; log prefix "ip4-postrouting-filter:" drop; } }
