bugzilla-daemon at netfilter.org
2020-Sep-23 12:36 UTC
[Bug 1468] New: [netdev] dropping ether type vlan frames drops ICMPv6 type 134
https://bugzilla.netfilter.org/show_bug.cgi?id=1468
Bug ID: 1468
Summary: [netdev] dropping ether type vlan frames drops ICMPv6
type 134
Product: nftables
Version: unspecified
Hardware: other
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: vtolkm at gmail.com
kernel 5.9.0-rc6 armv7l | nft 0.9.6
___
table netdev filter {
set et {
typeof ether type
flags constant
counter
elements = { vlan }
}
chain input {
type filter hook ingress device "eth2" priority -500;
policy
accept;
ether type @et log prefix "nd et DROP" flags all drop
}
}
The ISP is multi-casting ICMPv6 type 134 on the subscriber line, however
filtering vlan frames is dropping ICMPv6 type 134, the counter increases and
the log exhibits:
nd et DROPIN=eth2 OUT= MACSRC=78:ba:f9:73:f5:74 MACDST=33:33:00:00:00:01
MACPROTO=86dd SRC=fe80:0000:0000:0000:7aba:f9ff:fe73:f574
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=224 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/b7b24f82/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 12:37 UTC
[Bug 1468] [netdev] dropping ether type vlan frames drops ICMPv6 type 134
https://bugzilla.netfilter.org/show_bug.cgi?id=1468
vtolkm at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Hardware|other |arm
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/c7dae610/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-26 08:56 UTC
[Bug 1468] [log] reports dropping ICMPv6 type 134 for blocked ether type vlan frames
https://bugzilla.netfilter.org/show_bug.cgi?id=1468
vtolkm at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[netdev] dropping ether |[log] reports dropping
|type vlan frames drops |ICMPv6 type 134 for blocked
|ICMPv6 type 134 |ether type vlan frames
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200926/41791b87/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-26 09:09 UTC
[Bug 1468] [log] reports dropping ICMPv6 type 134 for blocked ether type vlan frames
https://bugzilla.netfilter.org/show_bug.cgi?id=1468
--- Comment #1 from vtolkm at gmail.com ---
weird, seems more of an issue with the logging facility instead since the
package arrives at the inet family for processing, which should not if it was
dropped in netdev according to the below config:
[Sat Sep 26 08:48:48 2020] nd et DROP: IN=eth2 OUT= MACSRC=78:ba:f9:73:f5:74
MACDST=33:33:00:00:00:01 MACPROTO=86dd
SRC=fe80:0000:0000:0000:7aba:f9ff:fe73:f574
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=224 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0
[Sat Sep 26 08:48:49 2020] icmp6 ra: IN=eth2 OUT= MACSRC=78:ba:f9:73:f5:74
MACDST=33:33:00:00:00:01 MACPROTO=86dd
SRC=fe80:0000:0000:0000:7aba:f9ff:fe73:f574
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=224 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0
____
table netdev filter {
set et {
typeof ether type
flags constant
counter
elements = { vlan }
}
chain eth_in {
type filter hook ingress device "eth2" priority -500;
policy
accept;
goto input
}
chain pppoe_in {
type filter hook ingress device "pppoe-wan" priority
-500;
policy accept;
goto input
}
chain input {
ether type @et log prefix "nd et DROP: " flags all
drop
}
}
table inet filter {
set if_wan {
type ifname
flags constant
elements = { "eth2",
"pppoe-wan" }
}
chain input {
type filter hook input priority filter; policy drop;
iifname @if_wan jump wan_in
}
chain wan_in {
icmpv6 type nd-router-advert ip6 hoplimit 255 ip6 saddr
fe80::/10 ip6 daddr ff02::1 log prefix "icmp6 ra: " flags all accept
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200926/def0ad63/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-26 09:59 UTC
[Bug 1468] [log] reports dropping other frames than specified blocked ether type vlan frames
https://bugzilla.netfilter.org/show_bug.cgi?id=1468
vtolkm at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[log] reports dropping |[log] reports dropping
|ICMPv6 type 134 for blocked |other frames than specified
|ether type vlan frames |blocked ether type vlan
| |frames
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200926/74347a22/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-26 10:09 UTC
[Bug 1468] [log] reports dropping other frames than specified blocked ether type vlan frames
https://bugzilla.netfilter.org/show_bug.cgi?id=1468 --- Comment #2 from vtolkm at gmail.com --- something curious going on there, now with a netdev conf changed to: ether type 0x8005 log flags all prefix "nd et 805 DROP: " drop; ether type 0x0806 log flags all prefix "nd et arp DROP: " drop; ether type 0x8068 log flags all prefix "nd et 068 DROP: " drop; ether type 0x8100 log flags all prefix "nd et vlan DROP: " drop; ether type 0x880C log flags all prefix "nd et 80C DROP: " drop; ether type 0x8847 log flags all prefix "nd et 847 DROP: " drop; ether type 0x8848 log flags all prefix "nd et 848 DROP: " drop; ether type 0x9000 log flags all prefix "nd et 000 DROP: " drop; the log even prints: [Sat Sep 26 09:54:48 2020] nd et vlan DROP: IN=eth2 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=78:ba:f9:73:f5:74 IPSRC=10.238.192.1 MACDST=00:00:00:00:00:00 IPDST=10.238.249.167 ____ This a bit unsettling, not knowing whether the logs prints erroneously or the netdev filter firing wrong. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200926/7ab85203/attachment.html>
bugzilla-daemon at netfilter.org
2020-Oct-07 20:52 UTC
[Bug 1468] [log] reports dropping other frames than specified blocked ether type vlan frames
https://bugzilla.netfilter.org/show_bug.cgi?id=1468
vtolkm at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
--- Comment #3 from vtolkm at gmail.com ---
closing since it works as can be expected.
After a frame dump it is became obvious that those frames are indeed 801.2Q
frames and the log reporting the header portion tailing the 801.2Q tag...
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201007/9eeb8d42/attachment.html>
Possibly Parallel Threads
- [Bug 1472] New: [sets] global named sets that can be utilised across families
- [Bug 1276] New: "icmpv6 code" test returns wrong data type.
- ICMPv6 messages of type RS
- [Bug 567] New: Local multicast ICMPv6 and --state INVALID
- [Bug 926] New: icmp: ICMPv6 types are not supported