Hello there,
I have the following set of rules :
drop not ethertype ipv4 and not ethertype arp and not ethertype ipv6;
accept macsrc ce:da:80:e0:29:67;
drop not chr ipauth;
accept;
With a member (let’s call it A) that does have ce:da:80:e0:29:67
indicated in the controller’s UI.
Messages from member A are dropped somewhere.
Here is the interface of member A:
2: ztREDACTED: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether ce:da:80:e0:29:67 brd ff:ff:ff:ff:ff:ff
inet 10.147.19.1/24 scope global ztREDACTED
valid_lft forever preferred_lft forever
And here is the interface of member B:
6: ztREDACTED: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether ce:3e:87:ba:ed:c3 brd ff:ff:ff:ff:ff:ff
inet 10.147.19.253/24 brd 10.147.19.255 scope global ztREDACTED
valid_lft forever preferred_lft forever
Here is a tcpdump made at member B:
15:21:30.588681 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
15:21:31.600179 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
15:21:32.624251 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
15:21:33.648421 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
15:21:34.676176 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
And here is a tcpdump made at member A:
13:21:30.632453 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
13:21:30.632465 ce:da:80:e0:29:67 > ce:3e:87:ba:ed:c3, ethertype ARP (0x0806), length 42: Reply 10.147.19.1 is-at ce:da:80:e0:29:67, length 28
13:21:31.627069 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
13:21:31.627079 ce:da:80:e0:29:67 > ce:3e:87:ba:ed:c3, ethertype ARP (0x0806), length 42: Reply 10.147.19.1 is-at ce:da:80:e0:29:67, length 28
13:21:32.645644 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
13:21:32.645655 ce:da:80:e0:29:67 > ce:3e:87:ba:ed:c3, ethertype ARP (0x0806), length 42: Reply 10.147.19.1 is-at ce:da:80:e0:29:67, length 28
13:21:33.659106 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
13:21:33.659119 ce:da:80:e0:29:67 > ce:3e:87:ba:ed:c3, ethertype ARP (0x0806), length 42: Reply 10.147.19.1 is-at ce:da:80:e0:29:67, length 28
13:21:34.688282 ce:3e:87:ba:ed:c3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.147.19.1 tell 10.147.19.253, length 28
13:21:34.688295 ce:da:80:e0:29:67 > ce:3e:87:ba:ed:c3, ethertype ARP (0x0806), length 42: Reply 10.147.19.1 is-at ce:da:80:e0:29:67, length 28
There are no nftables rules at both members.