Traffic accounting takes wrong interfaces into account

majst01 commented 3 years ago

Traffic does not occur on vrf* interfaces anymore:

Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
bridge    9000 27259063      0      0 0      31380625      0      0      0 BMRU
lan0      9216 27010202      0      0 0      21933544      0      0      0 BMRU
lan1      9216 12387948      0     13 0      17317263      0      0      0 BMRU
lo       65536        0      0      0 0             0      0      0      0 LRU
vlan20    9000  2750722      0      0 0       4628710      0      0      0 BMRU
vlan52    9000 13200476      0      0 0      15557870      0      0      0 BMRU
vlan1040  9000 11307865      0      0 0      11193933      0      0      0 BMRU
vni20     9000  3329847      0      0 0       4628600      0    108      0 BMRU
vni52     9000 13667596      0      0 0      15557757      0    110      0 BMRU
vni10400  9000 11429428      0      0 0      11193822      0    108      0 BMRU
vrf20    65536  2750722      0      0 0             0      0      0      0 OmRU
vrf52    65536 13200476      0      0 0             0      0      0      0 OmRU
vrf10400 65536 11307857      0      0 0             0      0      0      0 OmRU

but ruleset expects so:

        chain forward {                                                                                                                                                                                                                                                                   
                type filter hook forward priority filter + 1; policy drop;                                                                                                                                                                                                                
                ip saddr != @internal_prefixes oifname "vlan52" counter name "external_in"                                                                                                                                                                                                
                ip daddr != @internal_prefixes iifname "vrf52" counter name "external_out"                                                                                                                                                                                                
                ip saddr @internal_prefixes oifname "vlan52" counter name "internal_in"                                                                                                                                                                                                   
                ip daddr @internal_prefixes iifname "vrf52" counter name "internal_out"

Gerrit91 commented 3 years ago

Can this be closed?

majst01 commented 3 years ago

closed with #96

metal-stack / firewall-controller

Traffic accounting takes wrong interfaces into account #95