From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Vieri Di Paola <vieridipaola@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: iptables TRACE not logged
Date: Fri, 11 Sep 2015 14:28:03 +0200 [thread overview]
Message-ID: <20150911122803.GA5460@salvia> (raw)
In-Reply-To: <CABLYT9hQERBkQWskobkKb8tJ64is48e8_4joAYivjo4a+_e+GA@mail.gmail.com>
On Fri, Sep 11, 2015 at 10:25:15AM +0200, Vieri Di Paola wrote:
> Hi,
>
> I'm trying to see the TRACE log by issuing the following commands:
>
> /sbin/iptables -t raw -A PREROUTING --destination 10.215.237.237 -j TRACE
> /sbin/iptables -t raw -A OUTPUT --destination 10.215.237.237 -j TRACE
>
> After ping'ing 10.215.237.237, I'd like to know where to look for the
> TRACE messages.
> I've looked in /var/log/messages (and other system logs) and
> /proc/kmsg but no sign of them.
>
> What can I try?
>
> Kernel has support for TRACE (CONFIG_NETFILTER_XT_TARGET_TRACE=m).
>
> # lsmod | grep -i trace
> xt_TRACE 551 0
> x_tables 8695 52
> xt_physdev,xt_pkttype,xt_statistic,xt_DSCP,xt_dscp,xt_iprange,xt_mark,xt_time,xt_CT,xt_helper,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,xt_condition,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,xt_hashlimit,xt_multiport,iptable_filter,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,xt_REDIRECT,iptable_mangle,xt_addrtype,iptable_raw
>
> I'm using syslog-ng.but I've also tried metalog: still no TRACE messages.
>
> So I guess the logger isn't to blame and there's something wrong with
> my kernel or netfilter installation.
>
> # uname -a
> Linux fw3 4.1.4-hardened #1 SMP Thu Aug 13 15:49:17 CEST 2015 i686
> Intel(R) Xeon(TM) CPU 2.66GHz GenuineIntel GNU/Linux
>
> # iptables --version
> iptables v1.4.21
>
> Do you need more info?
>
> What can I try?
What does
cat /proc/net/netfilter/nf_log
say?
If it looks like this, then you have no logger registered into the
nf_log framework:
0 NONE ()
1 NONE ()
2 NONE ()
3 NONE ()
4 NONE ()
5 NONE ()
6 NONE ()
7 NONE ()
8 NONE ()
9 NONE ()
10 NONE ()
11 NONE ()
12 NONE ()
next prev parent reply other threads:[~2015-09-11 12:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-11 8:25 iptables TRACE not logged Vieri Di Paola
2015-09-11 12:28 ` Pablo Neira Ayuso [this message]
2015-09-11 13:31 ` Vieri Di Paola
2015-09-11 15:37 ` Pablo Neira Ayuso
2015-09-12 22:13 ` Vieri Di Paola
2015-09-13 11:50 ` Pablo Neira Ayuso
2015-09-14 9:31 ` Vieri Di Paola
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150911122803.GA5460@salvia \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=vieridipaola@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox