показать изменения в наборе правил и трассировке событий (show changes to rule set and trace-events)
Имя (Name)
xtables-monitor — show changes to rule set and trace-events
Синопсис (Synopsis)
xtables-monitor
[-t
] [-e
] [-4
||-6]
Описание (Description)
xtables-monitor
is used to monitor changes to the ruleset or to
show rule evaluation events for packets tagged using the TRACE
target. xtables-monitor
will run until the user aborts
execution, typically by using CTRL-C.
Параметры (Options)
-e
, --event
Watch for updates to the rule set.
Updates include creation of new tables, chains and rules
and the name of the program that caused the rule update.
-t
, --trace
Watch for trace events generated by packets that have been
tagged using the TRACE target.
-4
Restrict output to IPv4.
-6
Restrict output to IPv6.
EXAMPLE OUTPUT
xtables-monitor --trace
1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4
-t raw -A PREROUTING -p icmp -j TRACE
2 PACKET: 0 fc475095 IN=lo LL=0x304
0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1
LEN=84 TOS=0x0 TTL=64 ID=38349DF
3 TRACE: 2 fc475095 raw:PREROUTING:return:
4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
5 TRACE: 2 fc475095 filter:INPUT:return:
6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4
-t raw -A PREROUTING -p icmp -j TRACE
The first line shows a packet entering rule set evaluation. The
protocol number is shown (AF_INET in this case), then a packet
identifier number that allows to correlate messages coming from
rule set evaluation of this packet. After this, the rule that
was matched by the packet is shown. This is the TRACE rule that
turns on tracing events for this packet.
The second line dumps information about the packet. Incoming
interface and packet headers such as source and destination
addresses are shown.
The third line shows that the packet completed traversal of the
raw table PREROUTING chain, and is returning, followed by use the
chain policy to make accept/drop decision (the example shows
accept being applied). The fifth line shows that the packet
leaves the filter INPUT chain, i.e., no rules in the filter
tables INPUT chain matched the packet. It then got DROPPED by
the policy of the INPUT table, as shown by line six. The last
line shows another packet arriving -- the packet id is different.
When using the TRACE target, it is usually a good idea to only
select packets that are relevant, for example via
iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE
xtables-monitor --event
1 EVENT: nft: NEW table: table filter ip flags 0 use 4
handle 444
2 EVENT: # nft: ip filter INPUT use 2 type filter hook
input prio 0 policy drop packets 0 bytes 0
3 EVENT: # nft: ip filter FORWARD use 0 type filter hook
forward prio 0 policy accept packets 0 bytes 0
4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook
output prio 0 policy accept packets 0 bytes 0
5 EVENT: -4 -t filter -N TCP
6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp -m
tcp --dport 22 -j ACCEPT
7 EVENT: -4 -t filter -A TCP -p tcp -m multiport
--dports 80,443 -j ACCEPT
8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP
9 EVENT: -4 -t filter -A INPUT -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-
restore
This example shows event monitoring. Line one shows creation of
a table (filter in this case), followed by three base hooks
INPUT, FORWARD and OUTPUT. The iptables-nftables tools all
create tables and base chains automatically when needed, so this
is expected when a table was not yet initialized or when it is
re-created from scratch by iptables-nftables-restore. Line five
shows a new user-defined chain (TCP) being added, followed by
addition a few rules. the last line shows that a new ruleset
generation has become active, i.e., the rule set changes are now
active. This also lists the process id and the programs name.
Ограничения (Limitations)
xtables-monitor
only works with rules added using iptables-
nftables, rules added using iptables-legacy cannot be monitored.
Ошибки (баги) (Bugs)
Should be reported or by sending email to netfilter-
devel@vger.kernel.org or by filing a report on
https://bugzilla.netfilter.org/.
Смотри также (See also)
iptables(8), xtables
(8), nft
(8)