[Bug 1468] [log] reports dropping ICMPv6 type 134 for blocked ether type vlan frames

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sat Sep 26 11:09:25 CEST 2020


https://bugzilla.netfilter.org/show_bug.cgi?id=1468

--- Comment #1 from vtolkm at gmail.com ---
weird, seems more of an issue with the logging facility instead since the
package arrives at the inet family for processing, which should not if it was
dropped in netdev according to the below config:

[Sat Sep 26 08:48:48 2020] nd et DROP: IN=eth2 OUT= MACSRC=78:ba:f9:73:f5:74
MACDST=33:33:00:00:00:01 MACPROTO=86dd
SRC=fe80:0000:0000:0000:7aba:f9ff:fe73:f574
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=224 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0
[Sat Sep 26 08:48:49 2020] icmp6 ra: IN=eth2 OUT= MACSRC=78:ba:f9:73:f5:74
MACDST=33:33:00:00:00:01 MACPROTO=86dd
SRC=fe80:0000:0000:0000:7aba:f9ff:fe73:f574
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=224 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0

____

table netdev filter {
        set et {
                typeof ether type
                flags constant
                counter
                elements = { vlan }
        }
        chain eth_in {
                type filter hook ingress device "eth2" priority -500; policy
accept;
                goto input
        }
        chain pppoe_in {
                type filter hook ingress device "pppoe-wan" priority -500;
policy accept;
                goto input
        }
        chain input {
                ether type @et log prefix "nd et DROP: " flags all drop
        }
}
table inet filter {
        set if_wan {
                type ifname
                flags constant
                elements = { "eth2",
                             "pppoe-wan" }
        }
        chain input {
                type filter hook input priority filter; policy drop;
                iifname @if_wan jump wan_in
        }
        chain wan_in {
                icmpv6 type nd-router-advert ip6 hoplimit 255 ip6 saddr
fe80::/10 ip6 daddr ff02::1 log prefix "icmp6 ra: " flags all accept
        }
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200926/def0ad63/attachment.html>


More information about the netfilter-buglog mailing list