From: Florian Westphal <fw@strlen.de>
To: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Cc: Florian Westphal <fw@strlen.de>,
netfilter@vger.kernel.org,
Ken-ichirou MATSUZAWA <chamaken@gmail.com>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: NFULNL_CFG_F_CONNTRACK and IPv6
Date: Tue, 12 Jan 2021 18:41:58 +0100 [thread overview]
Message-ID: <20210112174158.GF19605@breakpoint.cc> (raw)
In-Reply-To: <f91bd38d-efc6-450b-9cbc-7968a731158f@www.fastmail.com>
Rafael David Tinoco <rafaeldtinoco@ubuntu.com> wrote:
> > > This can also be observed with:
> > >
> > > libnetfilter-log/utils/nf-log.c code (if BUILD_NFCT)
> >
> > Works for me:
> > 00389d4fd5f00000000a9e2060000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
> > (ret=450)
> > ip_conntrack_info: REPLY / ESTABLISHED
> > icmpv6 58 30 src=::1 dst=::1 type=128 code=0 id=6 src=::1 dst=::1
> > type=129 code=0 id=6
> >
> > Do you have an ip6tables rule that matches on conntrack state?
> > Otherwise conntrack will be disabled.
> >
>
> Ha, that's weird.
>
> log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
>
> here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
>
> ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> ip6tables-legacy -t raw -A OUTPUT -j TRACE
> ip6tables-legacy -t raw -A PREROUTING -j TRACE
? You need a -j NFLOG rule. -j TRACE might not even use netlink events
but raw printk() when used with classic iptables (rather than
iptables-nft, where this maps to 'meta nftrace set 1'.
next prev parent reply other threads:[~2021-01-12 17:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-12 16:14 NFULNL_CFG_F_CONNTRACK and IPv6 Rafael David Tinoco
2021-01-12 16:57 ` Florian Westphal
2021-01-12 17:30 ` Rafael David Tinoco
2021-01-12 17:41 ` Florian Westphal [this message]
2021-01-12 18:01 ` Rafael David Tinoco
2021-01-12 18:17 ` Rafael David Tinoco
2021-01-12 18:36 ` Florian Westphal
2021-01-12 18:54 ` Rafael David Tinoco
2021-01-12 19:26 ` Florian Westphal
2021-01-12 21:33 ` Rafael David Tinoco
2021-01-13 13:25 ` Rafael David Tinoco
2021-01-13 17:50 ` Pablo Neira Ayuso
2021-01-13 21:07 ` Rafael David Tinoco
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210112174158.GF19605@breakpoint.cc \
--to=fw@strlen.de \
--cc=chamaken@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=rafaeldtinoco@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.