Hello guys,
Does anyone know if Mikrotik ever considered adding https://github.com/nhorman/dropwatch to their operating system?
I had a hard time figuring out RP Filter was dropping packets and Dropwatch would definitely help understanding rp filter / filter drops.
Thank you
I would rather like to see the “rpfilter” matcher in the firewall so that packets not matching rpfilter can be dropped or marked as usual in firewall rules, including the usual way of counting and logging them.
Linux iptables has this “rpfilter” matcher as documented in the man page:
rpfilter
Performs a reverse path filter test on a packet. If a reply to the
packet would be sent via the same interface that the packet arrived on,
the packet will match. Note that, unlike the in-kernel rp_filter,
packets protected by IPSec are not treated specially. Combine this
match with the policy match if you want this. Also, packets arriving
via the loopback interface are always permitted. This match can only
be used in the PREROUTING chain of the raw or mangle table.
--loose
Used to specify that the reverse path filter test should match
even if the selected output device is not the expected one.
--validmark
Also use the packets' nfmark value when performing the reverse
path route lookup.
--accept-local
This will permit packets arriving from the network with a source
address that is also assigned to the local machine.
--invert
This will invert the sense of the match. Instead of matching
packets that passed the reverse path filter test, match those
that have failed it.
but for some reason unclear to me it is not available in the RouterOS firewall rules…