1XTABLES-MONITOR(8)              iptables 1.8.5              XTABLES-MONITOR(8)
2
3
4

NAME

6       xtables-monitor — show changes to rule set and trace-events
7

SYNOPSIS

9       xtables-monitor [-t] [-e] [-4||-6]
10

DESCRIPTION

12       xtables-monitor  is  used  to monitor changes to the ruleset or to show
13       rule evaluation events for packets tagged using the TRACE target.  xta‐
14       bles-monitor  will  run  until  the user aborts execution, typically by
15       using CTRL-C.
16

OPTIONS

18       -e, --event
19
20       Watch for updates to the rule set.
21              Updates include creation of new tables, chains and rules and the
22              name of the program that caused the rule update.
23
24       -t, --trace
25              Watch  for  trace  events  generated  by  packets that have been
26              tagged using the TRACE target.
27
28       -4     Restrict output to IPv4.
29
30       -6     Restrict output to IPv6.
31

EXAMPLE OUTPUT

33       xtables-monitor --trace
34
35               1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4 -t  raw
36              -A PREROUTING -p icmp -j TRACE
37               2       PACKET:       0       fc475095      IN=lo      LL=0x304
38              0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1  LEN=84
39              TOS=0x0 TTL=64 ID=38349DF
40               3 TRACE: 2 fc475095 raw:PREROUTING:return:
41               4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
42               5 TRACE: 2 fc475095 filter:INPUT:return:
43               6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
44               7  TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw
45              -A PREROUTING -p icmp -j TRACE
46
47       The first line shows a packet entering rule set evaluation.  The proto‐
48       col  number  is  shown (AF_INET in this case), then a packet identifier
49       number that allows to correlate messages coming from rule  set  evalua‐
50       tion  of  this  packet.   After  this, the rule that was matched by the
51       packet is shown.  This is the TRACE rule that turns on  tracing  events
52       for this packet.
53
54       The  second line dumps information about the packet. Incoming interface
55       and packet headers such as source and destination addresses are shown.
56
57       The third line shows that the packet completed traversal of the raw ta‐
58       ble  PREROUTING chain, and is returning, followed by use the chain pol‐
59       icy to make  accept/drop  decision  (the  example  shows  accept  being
60       applied).  The fifth line shows that the packet leaves the filter INPUT
61       chain, i.e., no rules in the filter  tables  INPUT  chain  matched  the
62       packet.  It then got DROPPED by the policy of the INPUT table, as shown
63       by line six.  The last line shows another packet arriving -- the packet
64       id is different.
65
66       When  using  the TRACE target, it is usually a good idea to only select
67       packets that are relevant, for example via
68       iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE
69
70       xtables-monitor --event
71                1 EVENT: nft: NEW table: table filter ip flags 0 use 4  handle
72              444
73                2  EVENT:  # nft: ip filter INPUT use 2 type filter hook input
74              prio 0 policy drop packets 0 bytes 0
75                3 EVENT: # nft: ip filter FORWARD use 0 type filter hook  for‐
76              ward prio 0 policy accept packets 0 bytes 0
77                4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output
78              prio 0 policy accept packets 0 bytes 0
79                5 EVENT: -4 -t filter -N TCP
80                6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp  -m  tcp
81              --dport 22 -j ACCEPT
82                7  EVENT:  -4  -t  filter  -A TCP -p tcp -m multiport --dports
83              80,443 -j ACCEPT
84                8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP
85                9  EVENT:  -4  -t  filter  -A  INPUT  -m  conntrack  --ctstate
86              RELATED,ESTABLISHED -j ACCEPT
87               10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore
88
89       This  example shows event monitoring.  Line one shows creation of a ta‐
90       ble (filter in this case), followed by three base hooks INPUT,  FORWARD
91       and  OUTPUT.   The  iptables-nftables  tools all create tables and base
92       chains automatically when needed, so this is expected when a table  was
93       not  yet initialized or when it is re-created from scratch by iptables-
94       nftables-restore.  Line five shows a new user-defined chain (TCP) being
95       added, followed by addition a few rules. the last line shows that a new
96       ruleset generation has become active, i.e., the rule  set  changes  are
97       now active.  This also lists the process id and the programs name.
98

LIMITATIONS

100       xtables-monitor  only  works  with rules added using iptables-nftables,
101       rules added using iptables-legacy cannot be monitored.
102

BUGS

104       Should be reported or by  sending  email  to  netfilter-devel@vger.ker‐
105       nel.org or by filing a report on https://bugzilla.netfilter.org/.
106

SEE ALSO

108       iptables(8), xtables(8), nft(8)
109
110
111
112iptables 1.8.5                                              XTABLES-MONITOR(8)
Impressum