Icmp messages dropped by reverse path filter.

Question

Icmp messages dropped by reverse path filter.

r-vdp opened this issue 6 months ago · 6 comments

I see a lot of messages like below in my logs.

avr 01 16:47:50 starbook kernel: rpfilter drop: IN=mycelium OUT= MAC= SRC=0566:XXX DST=fe80:0000:0000:0000:9099:94dc:8b7f:6644 LEN=146 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=1 CODE=5 [SRC=fe80:0000:0000:0000:9099:94dc:8b7f:6644 DST=ff02:0000:0000:0000:0000:0000:0000:cafe LEN=98 TC=0 HOPLIMIT=1 FLOWLBL=848761 PROTO=UDP SPT=9650 DPT=9650 LEN=58 ]

The source address of the icmp message is my machines mycelium ip address.

The icmp messages themselves get blocked by the reverse path filter in my firewall. I'm not sure actually why they are being dropped, since the source address seems to correspond to the incoming interface.

The rpfilter looks like this:

chain rpfilter {
        type filter hook prerouting priority mangle + 10; policy drop;
        fib saddr . mark . iif oif exists accept
        log prefix "rpfilter drop: " level info
}

Is there maybe an issue with how the routing table is being populated?

Answer 1 · 2024-04-02T15:31:42.000Z

would you have multiple interfaces connected on that box (like on different vlans) ?

Answer 2 · 2024-04-02T15:42:58.000Z

No, this is on my laptop that's connected to a single interface.

It is also connected to a zerotier network though, not sure if that can have an effect?

Answer 3 · 2024-04-02T15:46:58.000Z

meh, there is no specific route.
but in your rpfilter you drop link-local addresses.
Can you give an ip a and ip -6 r of your machine ?

Answer 4 · 2024-04-02T17:46:02.000Z

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: lan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq state DOWN group default qlen 1000
    link/ether 0c:37:96:96:28:5d brd ff:ff:ff:ff:ff:ff
    altname enp0s20f0u1u3i5
3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
    link/ether f4:4d:ad:02:ac:fd brd ff:ff:ff:ff:ff:ff
    altname enp0s20f0u1u2u1
    inet 10.0.0.55/24 metric 512 brd 10.0.0.255 scope global dynamic lan0
       valid_lft 6727sec preferred_lft 6727sec
    inet6 2a02:a03f:65cc:7001:a6ea:1d07:f592:9cad/64 scope global temporary dynamic 
       valid_lft 3236sec preferred_lft 1436sec
    inet6 2a02:a03f:65cc:7001:XXX/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 3236sec preferred_lft 1436sec
    inet6 fdcd:4491:1760:1:d4ab:9ecf:89d:932c/64 scope global temporary dynamic 
       valid_lft 3236sec preferred_lft 1436sec
    inet6 fdcd:4491:1760:1:XXX/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 3236sec preferred_lft 1436sec
    inet6 fe80::f64d:adff:fe02:acfd/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
4: wifi0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 16:25:cf:df:60:d5 brd ff:ff:ff:ff:ff:ff permaddr 7c:b5:66:65:be:72
    altname wlp1s0
5: management@lan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether f4:4d:ad:02:ac:fd brd ff:ff:ff:ff:ff:ff
7: ztzlggwhus: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq state UNKNOWN group default qlen 1000
    link/ether f2:63:0a:3b:41:06 brd ff:ff:ff:ff:ff:ff
    inet 172.26.134.183/16 brd 172.26.255.255 scope global ztzlggwhus
       valid_lft forever preferred_lft forever
    inet6 fd93:afae:5963:c547:f199:9324:cf58:18a8/88 scope global 
       valid_lft forever preferred_lft forever
    inet6 fcf0:6ae9:a824:cf58:18a8::1/40 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f063:aff:fe3b:4106/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
8: mycelium: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq state UNKNOWN group default qlen 500
    link/none 
    inet6 566:7843:a153:df58:XXX/7 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::3b18:2eae:31f7:6914/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever

400::/7 dev mycelium proto kernel metric 256 pref medium
2a02:a03f:65cc:7001::/64 dev lan0 proto ra metric 512 expires 3208sec pref medium
fcf0:6ae9:a800::/40 dev ztzlggwhus proto kernel metric 256 pref medium
fd93:afae:5963:c547:f199:9300::/88 dev ztzlggwhus proto kernel metric 256 pref medium
fdcd:4491:1760:1::/64 dev lan0 proto ra metric 512 expires 3208sec pref medium
fe80::/64 dev ztzlggwhus proto kernel metric 256 pref medium
fe80::/64 dev lan0 proto kernel metric 256 pref medium
fe80::/64 dev mycelium proto kernel metric 256 pref medium
default via fe80::1 dev lan0 proto ra metric 512 expires 1408sec pref medium

Answer 5 · 2024-04-03T11:38:03.000Z

I think your rpf is a bit pedantic :-p

Answer 6 · 2024-04-06T14:09:00.000Z

I added an additional rule which seems to have solved this, thanks!

fib daddr . mark . iif type local accept