Policy routing - default action drop?



I have recently implemented vyos in a service provider environment and I am looking to route traffic matching a certain source address coming on an ingress tunnel to push out to another tunnel. Everything works fine, however I see a lot of drops.

Although I am seeing drops counting up, I am wondering if this count are packets that dont match the policy and are “dropped” back into the general forwarding rules, or the packets are dropped (i.e. null0) altogether?

(from my testing with live connections, it would seem that packets are generally forwarded on)

example of the counters below:

(there are two policies, one to adjust TCP MSS and the other to route the packets)

$ sh policy

Rulesets Information

IPv4 Policy Route “TUN_0_POLICY”:

Active on (tun0,ROUTE)

rule action proto packets bytes

1 set tcp 5752 346740
condition - saddr daddr tcpflags: 0x02/0x02 TCPMSS set 135
5832 351784 TCPMSS tcp – * * /* TUN_0_POLICY-1 */ tcpflags:
0x02/0x02 TCPMSS set 1350

100 set all 263638 21888051
condition - saddr daddr

10000 drop all 1901194 2609051068
condition - saddr daddr


Drop in a policy just means… don’t modify anything and stop further processing in the access-list

processing in modify ruleset goes top to bottom…but does not stop on a match!
So for some packets both rules 1 100 and 10000 will be executed (processing does stop at accept or block)