* iptables TRACE not logged
@ 2015-09-11 8:25 Vieri Di Paola
2015-09-11 12:28 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Vieri Di Paola @ 2015-09-11 8:25 UTC (permalink / raw)
To: netfilter
Hi,
I'm trying to see the TRACE log by issuing the following commands:
/sbin/iptables -t raw -A PREROUTING --destination 10.215.237.237 -j TRACE
/sbin/iptables -t raw -A OUTPUT --destination 10.215.237.237 -j TRACE
After ping'ing 10.215.237.237, I'd like to know where to look for the
TRACE messages.
I've looked in /var/log/messages (and other system logs) and
/proc/kmsg but no sign of them.
What can I try?
Kernel has support for TRACE (CONFIG_NETFILTER_XT_TARGET_TRACE=m).
# lsmod | grep -i trace
xt_TRACE 551 0
x_tables 8695 52
xt_physdev,xt_pkttype,xt_statistic,xt_DSCP,xt_dscp,xt_iprange,xt_mark,xt_time,xt_CT,xt_helper,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,xt_condition,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,xt_hashlimit,xt_multiport,iptable_filter,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,xt_REDIRECT,iptable_mangle,xt_addrtype,iptable_raw
I'm using syslog-ng.but I've also tried metalog: still no TRACE messages.
So I guess the logger isn't to blame and there's something wrong with
my kernel or netfilter installation.
# uname -a
Linux fw3 4.1.4-hardened #1 SMP Thu Aug 13 15:49:17 CEST 2015 i686
Intel(R) Xeon(TM) CPU 2.66GHz GenuineIntel GNU/Linux
# iptables --version
iptables v1.4.21
Do you need more info?
What can I try?
Thanks,
Vieri
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables TRACE not logged
2015-09-11 8:25 iptables TRACE not logged Vieri Di Paola
@ 2015-09-11 12:28 ` Pablo Neira Ayuso
2015-09-11 13:31 ` Vieri Di Paola
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-11 12:28 UTC (permalink / raw)
To: Vieri Di Paola; +Cc: netfilter
On Fri, Sep 11, 2015 at 10:25:15AM +0200, Vieri Di Paola wrote:
> Hi,
>
> I'm trying to see the TRACE log by issuing the following commands:
>
> /sbin/iptables -t raw -A PREROUTING --destination 10.215.237.237 -j TRACE
> /sbin/iptables -t raw -A OUTPUT --destination 10.215.237.237 -j TRACE
>
> After ping'ing 10.215.237.237, I'd like to know where to look for the
> TRACE messages.
> I've looked in /var/log/messages (and other system logs) and
> /proc/kmsg but no sign of them.
>
> What can I try?
>
> Kernel has support for TRACE (CONFIG_NETFILTER_XT_TARGET_TRACE=m).
>
> # lsmod | grep -i trace
> xt_TRACE 551 0
> x_tables 8695 52
> xt_physdev,xt_pkttype,xt_statistic,xt_DSCP,xt_dscp,xt_iprange,xt_mark,xt_time,xt_CT,xt_helper,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,xt_condition,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,xt_hashlimit,xt_multiport,iptable_filter,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,xt_REDIRECT,iptable_mangle,xt_addrtype,iptable_raw
>
> I'm using syslog-ng.but I've also tried metalog: still no TRACE messages.
>
> So I guess the logger isn't to blame and there's something wrong with
> my kernel or netfilter installation.
>
> # uname -a
> Linux fw3 4.1.4-hardened #1 SMP Thu Aug 13 15:49:17 CEST 2015 i686
> Intel(R) Xeon(TM) CPU 2.66GHz GenuineIntel GNU/Linux
>
> # iptables --version
> iptables v1.4.21
>
> Do you need more info?
>
> What can I try?
What does
cat /proc/net/netfilter/nf_log
say?
If it looks like this, then you have no logger registered into the
nf_log framework:
0 NONE ()
1 NONE ()
2 NONE ()
3 NONE ()
4 NONE ()
5 NONE ()
6 NONE ()
7 NONE ()
8 NONE ()
9 NONE ()
10 NONE ()
11 NONE ()
12 NONE ()
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables TRACE not logged
2015-09-11 12:28 ` Pablo Neira Ayuso
@ 2015-09-11 13:31 ` Vieri Di Paola
2015-09-11 15:37 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Vieri Di Paola @ 2015-09-11 13:31 UTC (permalink / raw)
To: netfilter
[sorry, I previously replied only to Pablo instead of the mailing list]
# cat /proc/net/netfilter/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 nfnetlink_log (nf_log_ipv4,nfnetlink_log)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
Do I need to change the backend?
eg. sysctl net.netfilter.nf_log.2=ipt_LOG
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables TRACE not logged
2015-09-11 13:31 ` Vieri Di Paola
@ 2015-09-11 15:37 ` Pablo Neira Ayuso
2015-09-12 22:13 ` Vieri Di Paola
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-11 15:37 UTC (permalink / raw)
To: Vieri Di Paola; +Cc: netfilter
On Fri, Sep 11, 2015 at 03:31:05PM +0200, Vieri Di Paola wrote:
> [sorry, I previously replied only to Pablo instead of the mailing list]
>
> # cat /proc/net/netfilter/nf_log
> 0 NONE (nfnetlink_log)
> 1 NONE (nfnetlink_log)
> 2 nfnetlink_log (nf_log_ipv4,nfnetlink_log)
> 3 NONE (nfnetlink_log)
> 4 NONE (nfnetlink_log)
> 5 NONE (nfnetlink_log)
> 6 NONE (nfnetlink_log)
> 7 NONE (nfnetlink_log)
> 8 NONE (nfnetlink_log)
> 9 NONE (nfnetlink_log)
> 10 NONE (nfnetlink_log)
> 11 NONE (nfnetlink_log)
> 12 NONE (nfnetlink_log)
>
> Do I need to change the backend?
> eg. sysctl net.netfilter.nf_log.2=ipt_LOG
You have to switch to nf_log_ipv4, yes. Otherwise the trace messages
go to nfnetlink_log, thus you'll need ulogd2, which is something that
you may not need in your setup.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables TRACE not logged
2015-09-11 15:37 ` Pablo Neira Ayuso
@ 2015-09-12 22:13 ` Vieri Di Paola
2015-09-13 11:50 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Vieri Di Paola @ 2015-09-12 22:13 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Thanks Pablo.
This worked:
sysctl net.netfilter.nf_log.2=nf_log_ipv4
Now I'm getting TRACE messages in system log.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables TRACE not logged
2015-09-12 22:13 ` Vieri Di Paola
@ 2015-09-13 11:50 ` Pablo Neira Ayuso
2015-09-14 9:31 ` Vieri Di Paola
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-13 11:50 UTC (permalink / raw)
To: Vieri Di Paola; +Cc: netfilter
On Sun, Sep 13, 2015 at 12:13:41AM +0200, Vieri Di Paola wrote:
> Thanks Pablo.
> This worked:
> sysctl net.netfilter.nf_log.2=nf_log_ipv4
> Now I'm getting TRACE messages in system log.
BTW, this used to work with ipt_LOG, right?
Thanks!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables TRACE not logged
2015-09-13 11:50 ` Pablo Neira Ayuso
@ 2015-09-14 9:31 ` Vieri Di Paola
0 siblings, 0 replies; 7+ messages in thread
From: Vieri Di Paola @ 2015-09-14 9:31 UTC (permalink / raw)
To: netfilter
On Sun, Sep 13, 2015 at 1:50 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> BTW, this used to work with ipt_LOG, right?
I believe so.
Vieri
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-09-14 9:31 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-11 8:25 iptables TRACE not logged Vieri Di Paola
2015-09-11 12:28 ` Pablo Neira Ayuso
2015-09-11 13:31 ` Vieri Di Paola
2015-09-11 15:37 ` Pablo Neira Ayuso
2015-09-12 22:13 ` Vieri Di Paola
2015-09-13 11:50 ` Pablo Neira Ayuso
2015-09-14 9:31 ` Vieri Di Paola
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox