Ruleset debug/tracing
Since nftables v0.6 and linux kernel 4.6, ruleset debug/tracing is supported.
This is an equivalent of the old iptables method -J TRACE, but with some great improvements.
The steps to enable debug/tracing is the following:
- give support in your ruleset for it (set nftrace in any of your rules)
- monitor the trace events from the nft tool
enabling nftrace
To enable nftrace in a packet, use a rule with this statement:
meta nftrace set 1
After all, nftrace is part of the metainformation of a packet.
Of course, you may only enable nftrace for a given matching packet. In the example below, we only enable nftrace for tcp packets using the loopback interface:
iif lo ip protocol tcp meta nftrace set 1
Adjusting nftrace to only your subset of desired packets is key to properly debug the ruleset, otherwise you may get a lot of debug/tracing information which may be overwhelming.
The following example shows how to enable tracing for your existing ruleset:
% nft add chain filter trace_chain { type filter hook prerouting priority -600\; }
% nft add rule filter trace_chain meta nftrace set 1
This is registering a trace_chain chain at priority -600 which contains a rule to enable tracing. If you already have more prerouting chains, then select a chain priority that comes before your existing prerouting chains.
Once you are done with rule tracing, you can just delete this chain to disable it:
% nft delete chain filter trace_chain
monitoring tracing events
In nftables, getting the debug/tracing events is a bit different from the iptables world. Now, we have an event-based monitor for the kernel to notify the nft tool.
The basic syntax is:
% nft monitor trace
Each trace event is assigned an 'id' for you to easily follow different packets in the same trace session.
complete example
Here are a couple of complete examples of this debug/tracing mechanism in work.
Simple tracing test:
% nft add rule inet filter input iif lo counter nftrace set 1 accept
% nft monitor trace
trace id 530fa6dd inet filter input packet: iif lo
trace id 530fa6dd inet filter input rule iif lo accept (verdict accept)
trace id 87a375ea inet filter input packet: iif lo
trace id 87a375ea inet filter input rule iif lo accept (verdict accept)
Tracing two different kind of packets at the same monitor session:
% nft filter input tcp dport 10000 nftrace set 1
% nft filter input icmp type echo-request nftrace set 1
% nft -nn monitor trace
trace id e1f5055f ip filter input packet: iif eth0 ether saddr 63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 ip saddr 192.168.122.1 ip daddr 192.168.122.83 ip tos 0 ip ttl 64 ip id 32315 ip length 84 icmp type echo-request icmp code 0 icmp id 10087 icmp sequence 1
trace id e1f5055f ip filter input rule icmp type echo-request nftrace set 1 (verdict continue)
trace id e1f5055f ip filter input verdict continue
trace id e1f5055f ip filter input
trace id 74e47ad2 ip filter input packet: iif vlan0 ether saddr 63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 vlan pcp 0 vlan cfi 1 vlan id 1000 ip saddr 10.0.0.1 ip daddr 10.0.0.2 ip tos 0 ip ttl 64 ip id 49030 ip length 84 icmp type echo-request icmp code 0 icmp id 10095 icmp sequence 1
trace id 74e47ad2 ip filter input rule icmp type echo-request nftrace set 1 (verdict continue)
trace id 74e47ad2 ip filter input verdict continue
trace id 74e47ad2 ip filter input
trace id 3030de23 ip filter input packet: iif vlan0 ether saddr 63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 vlan pcp 0 vlan cfi 1 vlan id 1000 ip saddr 10.0.0.1 ip daddr 10.0.0.2 ip tos 16 ip ttl 64 ip id 59062 ip length 60 tcp sport 55438 tcp dport 10000 tcp flags == syn tcp window 29200
trace id 3030de23 ip filter input rule tcp dport 10000 nftrace set 1 (verdict continue)
trace id 3030de23 ip filter input verdict continue
trace id 3030de23 ip filter input