{"id":3482,"date":"2022-12-20T17:08:47","date_gmt":"2022-12-20T20:08:47","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/xtablesmonitor-man8\/"},"modified":"2022-12-20T17:08:47","modified_gmt":"2022-12-20T20:08:47","slug":"xtablesmonitor-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/xtablesmonitor-man8\/","title":{"rendered":"XTABLES−MONITOR (man8)"},"content":{"rendered":"

XTABLES\u2212MONITOR<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
OPTIONS<\/a>
EXAMPLE OUTPUT<\/a>
LIMITATIONS<\/a>
BUGS<\/a>
SEE ALSO<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

xtables-monitor \u2014 show changes to rule set and trace-events<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

xtables\u2212monitor<\/b> [\u2212t<\/b>] [\u2212e<\/b>] [\u22124<\/b>||\u22126]<\/b><\/p>\n

DESCRIPTION <\/a> <\/h2>\n

xtables-monitor<\/b> is used to monitor changes to the ruleset or to show rule evaluation events for packets tagged using the TRACE target. xtables-monitor<\/b> will run until the user aborts execution, typically by using CTRL-C.<\/p>\n

OPTIONS <\/a> <\/h2>\n

\u2212e<\/b>, \u2212\u2212event<\/b>
Watch for updates to the rule set.<\/p>\n

Updates include creation of new tables, chains and rules and the name of the program that caused the rule update.<\/p>\n

\u2212t<\/b>, \u2212\u2212trace<\/b><\/p>\n

Watch for trace events generated by packets that have been tagged using the TRACE target.<\/p>\n\n\n\n
<\/td>\n\n

\u22124<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Restrict output to IPv4.<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

\u22126<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Restrict output to IPv6.<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

EXAMPLE OUTPUT <\/a> <\/h2>\n

xtables-monitor \u2212\u2212trace<\/b><\/p>\n

1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE \u22124 \u2212t raw \u2212A PREROUTING \u2212p icmp \u2212j TRACE
2 PACKET: 0 fc475095 IN=lo LL=0x304 0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x0 TTL=64 ID=38349DF
3 TRACE: 2 fc475095 raw:PREROUTING:return:
4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
5 TRACE: 2 fc475095 filter:INPUT:return:
6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE \u22124 \u2212t raw \u2212A PREROUTING \u2212p icmp \u2212j TRACE<\/p>\n

The first line shows a packet entering rule set evaluation. The protocol number is shown (AF_INET in this case), then a packet identifier number that allows to correlate messages coming from rule set evaluation of this packet. After this, the rule that was matched by the packet is shown. This is the TRACE rule that turns on tracing events for this packet.<\/p>\n

The second line dumps information about the packet. Incoming interface and packet headers such as source and destination addresses are shown.<\/p>\n

The third line shows that the packet completed traversal of the raw table PREROUTING chain, and is returning, followed by use the chain policy to make accept\/drop decision (the example shows accept being applied). The fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in the filter tables INPUT chain matched the packet. It then got DROPPED by the policy of the INPUT table, as shown by line six. The last line shows another packet arriving \u2212\u2212 the packet id is different.<\/p>\n

When using the TRACE target, it is usually a good idea to only select packets that are relevant, for example via
iptables \u2212t raw \u2212A PREROUTING \u2212p tcp \u2212\u2212dport 80 \u2212\u2212syn \u2212m limit \u2212\u2212limit 1\/s \u2212j TRACE
xtables-monitor \u2212\u2212event<\/b><\/p>\n

1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle 444
2 EVENT: # nft: ip filter INPUT use 2 type filter hook input prio 0 policy drop packets 0 bytes 0
3 EVENT: # nft: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0
4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output prio 0 policy accept packets 0 bytes 0
5 EVENT: \u22124 \u2212t filter \u2212N TCP
6 EVENT: \u22124 \u2212t filter \u2212A TCP \u2212s 192.168.0.0\/16 \u2212p tcp \u2212m tcp \u2212\u2212dport 22 \u2212j ACCEPT
7 EVENT: \u22124 \u2212t filter \u2212A TCP \u2212p tcp \u2212m multiport \u2212\u2212dports 80,443 \u2212j ACCEPT
8 EVENT: \u22124 \u2212t filter \u2212A INPUT \u2212p tcp \u2212j TCP
9 EVENT: \u22124 \u2212t filter \u2212A INPUT \u2212m conntrack \u2212\u2212ctstate RELATED,ESTABLISHED \u2212j ACCEPT
10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore<\/p>\n

This example shows event monitoring. Line one shows creation of a table (filter in this case), followed by three base hooks INPUT, FORWARD and OUTPUT. The iptables-nftables tools all create tables and base chains automatically when needed, so this is expected when a table was not yet initialized or when it is re-created from scratch by iptables-nftables-restore. Line five shows a new user-defined chain (TCP) being added, followed by addition a few rules. the last line shows that a new ruleset generation has become active, i.e., the rule set changes are now active. This also lists the process id and the programs name.<\/p>\n

LIMITATIONS <\/a> <\/h2>\n

xtables-monitor<\/b> only works with rules added using iptables-nftables, rules added using iptables-legacy cannot be monitored.<\/p>\n

BUGS <\/a> <\/h2>\n

Should be reported or by sending email to netfilter-devel@vger.kernel.org or by filing a report on https:\/\/bugzilla.netfilter.org\/.<\/p>\n

SEE ALSO <\/a> <\/h2>\n

iptables<\/b>(8), xtables<\/b>(8), nft<\/b>(8)<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

xtables-monitor \u2014 show changes to rule set and trace-events <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,604],"class_list":["post-3482","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-xtables-monitor"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3482"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3482\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}