Project

General

Profile

Actions
Copy link

Bug #16138

closed

Ethernet rules passing IPv4 (0x0800) packets despite the block rule

Added by Lev Prokofev 5 days ago. Updated 2 days ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
Affected Architecture:

Description

Tested on 24.11 and 25.03 Beta built on Fri Apr 4

Setup:

ix2 and igb1 in bridge, filtering on member interface:

net.link.bridge.pfil_onlyip=0    
net.link.bridge.pfil_member=1    
net.link.bridge.pfil_bridge=0

Any to any rules on ix2 and igb1

pass in quick on ix2 inet all flags S/SA keep state (if-bound) label "USER_RULE" label "id:1744382074" ridentifier 1744382074
pass in quick on igb1 inet all flags S/SA keep state (if-bound) label "USER_RULE" label "id:1744386976" ridentifier 1744386976

Ethernet rule:

ether block on ix2 proto 0x0800 l3 all label "id:1744386799" ridentifier 1744386799

I can see the traffic counters however the IPv4 ICMP packets are still passing

Files

Download all files
clipboard-202504111922-ny3in.png (76.3 KB) clipboard-202504111922-ny3in.png Lev Prokofev, 04/11/2025 04:22 PM
clipboard-202504111923-ggvpc.png (1.22 MB) clipboard-202504111923-ggvpc.png Lev Prokofev, 04/11/2025 04:23 PM
Actions
Copy link

Also available in: Atom PDF