Bug 1658734

Summary: xtables-monitor has missing documentation references
Product: Red Hat Enterprise Linux 8 Reporter: Tomas Dolezal <todoleza>
Component: iptablesAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Jiri Peska <jpeska>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: medium    
Version: 8.0CC: igkioka, iptables-maint-list, jpeska, lmanasko, psutter, todoleza
Target Milestone: rcKeywords: Documentation, ManPageChange
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iptables-1.8.2-10.el8 Doc Type: Bug Fix
Doc Text:
.The `TRACE` target in the `iptables-extensions(8)` man page has been updated Previously, the description of the `TRACE` target in the `iptables-extensions(8)` man page referred only to the `compat` variant, but Red Hat Enterprise Linux 8 uses the `nf_tables` variant. As a consequence, the man page did not reference the `xtables-monitor` command-line utility to display `TRACE` events. The man page has been updated and, as a result, now mentions `xtables-monitor`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:17:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682316    
Bug Blocks:    

Description Tomas Dolezal 2018-12-12 18:35:08 UTC 
Description of problem:
description of TRACE target in iptables-extensions(8) refers just to unused 'compat' variant. The 'nf_tables' variant uses nft backend which produces TRACE messages that need to be caught in different way. In this case, 'xtables-monitor' cli tool is at hand to catch messages otherwise available through 'nft monitor' feature.

Version-Release number of selected component (if applicable):
iptables-1.8.1-2.el8.x86_64

How reproducible:
always

Steps to Reproduce:
seek through iptables-extensions(8) manpage

Actual results:
   TRACE
       This target marks packets so that the kernel will log every rule which match the packets as  those  traverse
       the tables, chains, rules.

       A  logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this to be visible.  The packets
       are logged with the string prefix: "TRACE: tablename:chainname:type:rulenum " where type can be  "rule"  for
       plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the
       built in chains.
       It can only be used in the raw table.

Expected results:
added reference to 'xtables-monitor' for case that 'nf_tables' variant of iptables was used to add the rule.
A release note may also be added.

Additional info:
Comment 1 Tomas Dolezal 2018-12-12 18:37:08 UTC 
*** Bug 1612985 has been marked as a duplicate of this bug. ***
Comment 2 Phil Sutter 2018-12-18 11:19:20 UTC 
Documentation enhancement sent upstream: https://marc.info/?l=netfilter-devel&m=154513180417213&w=2
Comment 4 Phil Sutter 2019-01-29 14:54:32 UTC 
Since this is merely a documentation issue, I'm moving this to 8.1.
Comment 5 Phil Sutter 2019-02-27 09:43:45 UTC 
Upstream commit to backport:

commit 9ac39888722ee9c7e97d9b8cb9eb4f33b582130a
Author: Phil Sutter <phil>
Date:   Tue Dec 18 12:16:30 2018 +0100

    extensions: TRACE: Point at xtables-monitor in documentation
    
    With iptables-nft, logging of trace events is different from legacy.
    Explain why and hint at how to receive events in this case.
    
    Signed-off-by: Phil Sutter <phil>
    Signed-off-by: Florian Westphal <fw>
Comment 17 errata-xmlrpc 2019-11-05 22:17:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3573