[EDITED] I'm receiving on physical interface ERSPAN-encapsulated traffic and need to process just a small part of it. In order to do this, I'm decapsulating traffic on local tunnel interface:
ip link add dev inspan type erspan seq key 10 local x.x.x.x erspan_ver 1
ip link set dev inspan up
and want to filter (drop/accept), rewrite and/or redirect accepted part to further processing - either local or towards set of remote workers. The configuration below supposed to be for the local processing.
Where I'm in stuck - the following rule works as expected:
table netdev filter {
chain redir {
type filter hook ingress device "inspan" priority filter; policy drop;
iifname inspan udp dport 2311 ether daddr set 8a:b1:34:1d:35:ea ip daddr set 10.171.165.65 accept
}
}
where MAC-address is inspan's address (where I receive decapsulated traffic) and IP address is local to this server (though, not inspan's).
Logs shows that rewrite done -
Aug 10 21:12:22 server kernel: [1726554.111664] IN=inspan OUT= MAC=8a:b1:34:1d:35:ea:a2:ee:e4:00:00:12:08:00 SRC=192.168.25.198 DST=10.171.165.65 LEN=372 TOS=0x00 PREC=0x00 TTL=125 ID=27044 PROTO=UDP SPT=50125 DPT=2311 LEN=352
but simple test fails: 'nc -l -u -k -p 2311' shows no incoming traffic.
Though, if I explicitly connect (nc -u 10.171.165.65 2311) - it responds (so, address 10.171.165.65 is responsive and active).
According to the diagram https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks , I tried to check whether this traffic appears in inet/prerouting hook (as it seems to be next after netdev/ingress):
table inet prerouting {
chain just_log {
type filter hook prerouting priority filter; policy accept;
iifname inspan log prefix "prerouting " meta nftrace set 1 accept
}
}
and no, nothing in both syslog and 'nft monitor trace'
rp_filter for inspan interface set to 0; interface promisc mode on/off do not change the whole picture
Any ideas what I'm missing on this last step?
Thank you.
