我设置了一条匹配多播数据包的规则,如下所示:
add rule filter_4 new_out_4 meta pkttype multicast goto multicast_out_4
filter_4
是 IPv4 表,new_out4
是输出链,multicast_out_4
是处理纯组播流量的链。
以下是排除不相关部分的 IPv4 表的更完整图片:
#!/usr/sbin/nft -f
add table filter_4
add chain filter_4 output {
# filter = 0
type filter hook output priority filter; policy drop;
}
add chain filter_4 multicast_out_4 {
comment "Output multicast IPV4 traffic"
}
add chain filter_4 new_out_4 {
comment "New output IPv4 traffic"
}
#
# Stateful filtering
#
# Established IPv4 traffic
add rule filter_4 input ct state established goto established_in_4
add rule filter_4 output ct state established goto established_out_4
# Related IPv4 traffic
add rule filter_4 input ct state related goto related_in_4
add rule filter_4 output ct state related goto related_out_4
# New IPv4 traffic ( PACKET IS MATCHED HERE )
add rule filter_4 input ct state new goto new_in_4
add rule filter_4 output ct state new goto new_out_4
# Invalid IPv4 traffic
add rule filter_4 input ct state invalid log prefix "drop invalid_filter_in_4: " counter name invalid_filter_count_4 drop
add rule filter_4 output ct state invalid log prefix "drop invalid_filter_out_4: " counter name invalid_filter_count_4 drop
# Untracked IPv4 traffic
add rule filter_4 input ct state untracked log prefix "drop untracked_filter_in_4: " counter name untracked_filter_count_4 drop
add rule filter_4 output ct state untracked log prefix "drop untracked_filter_out_4: " counter name untracked_filter_count_4 drop
在上面的设置中,包括多播在内的新输出流量通过规则进行匹配add rule filter_4 output ct state new goto new_out_4
这是new_out_4
仅包含不起作用的相关(非工作)多播规则的链:
# Multicast IPv4 traffic ( THIS RULE DOES NOT WORK, SEE LOG OUTPUT BELOW)
add rule filter_4 new_out_4 meta pkttype multicast goto multicast_out_4
#
# Default chain action ( MULTICAST PACKET IS DROPPED HERE )
#
add rule filter_4 new_out_4 log prefix "drop new_out_4: " counter name new_out_filter_count_4 drop
以下是日志中有关丢弃的多播数据包的内容:
删除new_out_4:IN = OUT = eth0 SRC = 192.168.1.100 DST = 224.0.0.251 LEN = 163 TOS = 0x00 PREC = 0x00 TTL = 255 ID = 27018 DF PROTO = UDP SPT = 5353 DPT = 5353 LEN = 143
被丢弃的数据包被发送到目标地址224.0.0.251
,这是多播地址,它应该与new_out_4
链中的多播规则匹配,并且应该由multicast_out_4
链处理,但没有。
相反,数据包不匹配,并被上面链中的默认丢弃规则丢弃new_out_4
,请参阅注释(默认链操作)。
显然这意味着组播规则不起作用。
为什么组播规则不起作用?
预期的:
meta pkttype multicast
匹配目标地址224.0.0.251
编辑:
系统信息:
内核:6.5.0-0.deb12.4-amd64
与早期内核 6.1 存在相同的问题
nftables:v1.0.6(莱斯特·古奇#5)