Hide Forgot
Description of problem: description of TRACE target in iptables-extensions(8) refers just to unused 'compat' variant. The 'nf_tables' variant uses nft backend which produces TRACE messages that need to be caught in different way. In this case, 'xtables-monitor' cli tool is at hand to catch messages otherwise available through 'nft monitor' feature. Version-Release number of selected component (if applicable): iptables-1.8.1-2.el8.x86_64 How reproducible: always Steps to Reproduce: seek through iptables-extensions(8) manpage Actual results: TRACE This target marks packets so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this to be visible. The packets are logged with the string prefix: "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the built in chains. It can only be used in the raw table. Expected results: added reference to 'xtables-monitor' for case that 'nf_tables' variant of iptables was used to add the rule. A release note may also be added. Additional info:
*** Bug 1612985 has been marked as a duplicate of this bug. ***
Documentation enhancement sent upstream: https://marc.info/?l=netfilter-devel&m=154513180417213&w=2
Since this is merely a documentation issue, I'm moving this to 8.1.
Upstream commit to backport: commit 9ac39888722ee9c7e97d9b8cb9eb4f33b582130a Author: Phil Sutter <phil@nwl.cc> Date: Tue Dec 18 12:16:30 2018 +0100 extensions: TRACE: Point at xtables-monitor in documentation With iptables-nft, logging of trace events is different from legacy. Explain why and hint at how to receive events in this case. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:3573