From: "Jason Vas Dias" <jason.vas.dias@ptt.ie>
To: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Cc: Jason Vas Dias <jason.vas.dias@gmail.com>,
Jason Vas Dias <jason.vas.dias@ptt.ie>
Subject: Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+?
Date: Sun, 25 Jun 2023 14:25:02 +0100 [thread overview]
Message-ID: <hhttuv65e9.fsf@jvdspc.jvds.net> (raw)
Good day -
On a Linux RHEL8 system, I have enabled these iptables rules,
which I am led to believe should enable ICMP packet syslog
logging on interface ingress & egress :
# iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TRACE icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TRACE icmp -- anywhere anywhere
As described at : https://access.redhat.com/solutions/2313671 I have done :
# modprobe nf_log_ipv4
# sysctl -w net.netfilter.nf_log.2=nf_log_ipv4
I also did:
# modprobe nf_log_syslog
which I am led to believe replaces all previous nf_log* or ipt_LOG
modules in modern (RHEL8 4.18.x+) kernels.
But, when I 'ping' a NAT'd (with iptables) IP address,
no TRACE log messages appear in 'dmesg -c' output or in
syslog (systemd.journald in use).
What am I missing ?
The most comprehensive discussion I have found on this issue so far on the web is at :
https://backreference.org/2010/06/11/iptables-debugging/ (thanks waldner!)
But this is getting rather old (2010-06-11) , and evidently does not
apply to kernel 4.18+(RHEL) .
I have duplicated precisely the steps above on Fedora-36
(kernel v6.2.16) system , and it DOES work, TRACE log messages ARE generated :
# iptables -t raw -A PREROUTING -p icmp -j TRACE
# iptables -t raw -A OUTPUT -p icmp -j TRACE
# modprobe nf_log_ipv4
# echo nf_log_ipv4 > /proc/sys/net/netfilter/nf_log/2
But, these steps, when repeated on a RHEL8 kernel 4.18.0-477.13.1
host, do not work or produce any packet TRACE output in logs -
this is what I am tearing what remains of my hair out trying to resolve.
Thanks in advance for any informative replies .
Best Regards,
Jason Vas Dias (SW+SYS+NET)-Engineer, West Cork, Eire.
next reply other threads:[~2023-06-25 13:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-25 13:25 Jason Vas Dias [this message]
2023-06-25 13:40 ` Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+? Florian Westphal
2023-06-25 15:11 ` Jason Vas Dias
2023-06-25 18:35 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=hhttuv65e9.fsf@jvdspc.jvds.net \
--to=jason.vas.dias@ptt.ie \
--cc=jason.vas.dias@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.