1XTABLES-MONITOR(8) iptables 1.8.0 XTABLES-MONITOR(8)
2
3
4
6 xtables-monitor — show changes to rule set and trace-events
7
9 xtables-monitor [-t] [-e] [-4||-6]
10
12 xtables-monitor is used to monitor changes to the ruleset or to show
13 rule evaluation events for packets tagged using the TRACE target. xta‐
14 bles-monitor will run until the user aborts execution, typically by
15 using CTRL-C.
16
18 -e, --event
19
20 Watch for updates to the rule set.
21 Updates include creation of new tables, chains and rules and the
22 name of the program that caused the rule update.
23
24 -t, --trace
25 Watch for trace events generated by packets that have been
26 tagged using the TRACE target.
27
28 -4 Restrict output to ipv4.
29
30 -6 Restrict output to ipv6.
31
33 xtables-monitor --trace
34
35 1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw
36 -A PREROUTING -p icmp -j TRACE
37 2 PACKET: 0 fc475095 IN=lo LL=0x304
38 0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1 LEN=84
39 TOS=0x0 TTL=64 ID=38349DF
40 3 TRACE: 2 fc475095 raw:PREROUTING:return:
41 4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
42 5 TRACE: 2 fc475095 filter:INPUT:return:
43 6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
44 7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw
45 -A PREROUTING -p icmp -j TRACE
46
47 The first line shows a packet entering rule set evaluation. The proto‐
48 col number is shown (AF_INET in this case), then a packet identifier
49 number that allows to correlate messages coming from rule set evalua‐
50 tion of this packet. After this, the rule that was matched by the
51 packet is shown. This is the TRACE rule that turns on tracing events
52 for this packet.
53
54 The second line dumps information about the packet. Incoming interface
55 and packet headers such as source and destination addresses are shown.
56
57 The third line shows that the packet completed traversal of the raw ta‐
58 ble PREROUTING chain, and is returning, followed by use the chain pol‐
59 icy to make accept/drop decision (the example shows accept being
60 applied). The fifth line shows that the packet leaves the filter INPUT
61 chain, i.e., no rules in the filter tables INPUT chain matched the
62 packet. It then got DROPPED by the policy of the INPUT table, as hown
63 by line six. The last line shows another packet arriving -- the packet
64 id is different.
65
66 When using the TRACE target, it is usally a good idea to only select
67 packets that are relevant, for example via
68 iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE
69
70 xtables-monitor --event
71 1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle
72 444
73 2 EVENT: # nft: ip filter INPUT use 2 type filter hook input
74 prio 0 policy drop packets 0 bytes 0
75 3 EVENT: # nft: ip filter FORWARD use 0 type filter hook for‐
76 ward prio 0 policy accept packets 0 bytes 0
77 4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output
78 prio 0 policy accept packets 0 bytes 0
79 5 EVENT: -4 -t filter -N TCP
80 6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp -m tcp
81 --dport 22 -j ACCEPT
82 7 EVENT: -4 -t filter -A TCP -p tcp -m multiport --dports
83 80,443 -j ACCEPT
84 8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP
85 9 EVENT: -4 -t filter -A INPUT -m conntrack --ctstate
86 RELATED,ESTABLISHED -j ACCEPT
87 10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore
88
89 This example shows event monitoring. Line one shows creation of a ta‐
90 ble (filter in this case), followed by three base hooks INPUT, FORWARD
91 and OUTPUT. The iptables-nftables tools all create tables and base
92 chains automatically when needed, so this is expected when a table was
93 not yet initialized or when it is re-created from scratch by iptables-
94 nftables-restore. Line five shows a new user-defined chain (TCP) being
95 added, followed by addition a few rules. the last line shows that a new
96 ruleset generation has become active, i.e., the rule set changes are
97 now active. This also lists the process id and the programs name.
98
100 xtables-monitor only works with rules added using iptables-nftables,
101 rules added using iptables-legacy cannot be monitored.
102
104 Should be reported or by sending email to netfilter-devel@vger.ker‐
105 nel.org or by filing a report on https://bugzilla.netfilter.org/.
106
108 iptables(8), xtables(8), nft(8)
109
110
111
112iptables 1.8.0 XTABLES-MONITOR(8)