debian buster/10 iptables raw TRACE，没有日志

Question

I have a new installed debian buster/10, I want to check the iptables TRACE log, so I added iptables's raw TRACE rule:

iptables -t raw -A PREROUTING -j TRACE

And I set this according to this page :

modprobe nf_log_ipv4
sysctl net.netfilter.nf_log.2=nf_log_ipv4

But I still got no TRACE log in syslog, kern.log or messages, -j LOG works. And " xtables-monitor -t " can show the TRACE packages.

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

# uname -a
Linux debian 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux

# iptables --version
iptables v1.8.2 (nf_tables)

# lsmod | grep xt_
xt_LOG                 16384  0
xt_TRACE               16384  0
xt_mark                16384  3
xt_TPROXY              16384  2
nf_tproxy_ipv6         16384  1 xt_TPROXY
nf_tproxy_ipv4         16384  1 xt_TPROXY
xt_nat                 16384  5
nf_nat                 36864  2 nf_nat_ipv4,xt_nat
xt_addrtype            16384  2
xt_tcpudp              16384  10
xt_conntrack           16384  3
nf_conntrack          172032  6 xt_conntrack,nf_nat,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_conntrack_netlink
nf_defrag_ipv6         20480  2 nf_conntrack,xt_TPROXY
nf_defrag_ipv4         16384  2 nf_conntrack,xt_TPROXY
x_tables               45056  11 xt_conntrack,nft_compat,xt_TRACE,xt_LOG,xt_tcpudp,ipt_MASQUERADE,xt_addrtype,xt_nat,xt_TPROXY,ip_tables,xt_mark

# lsmod | grep log
nft_log                16384  0
nfnetlink_log          20480  0
nf_log_ipv4            16384  0
nf_log_common          16384  1 nf_log_ipv4
nf_tables             143360  303 nft_chain_route_ipv4,nft_compat,nft_log,nft_chain_nat_ipv4,nft_counter
nfnetlink              16384  5 nft_compat,nf_conntrack_netlink,nf_tables,nfnetlink_log

Anything I missed? Thank you.

Answer 1

As here expresses, debian buster uses nftables as backend by default:

NOTE: iptables is being replaced by nftables starting with Debian Buster

Current status

NOTE: Debian Buster uses the nftables framework by default.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (ie, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

somiaj@freenode on #debian channel suggests to use nft , I tried it and it worked like a charm, the rules was from iptables wrapper:

chain OUTPUT {
        type filter hook output priority -300; policy accept;
        meta l4proto udp udp dport 53 counter packets 10526 bytes 658659 nftrace set 1
}

nft monitor trace :

# nft monitor trace
trace id 802a6813 ip raw OUTPUT packet: oif "eth0" ip saddr 192.168.0.88 ip daddr 208.67.222.222 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 32950 ip length 75 udp sport 54299 udp dport domain udp length 55 @th,64,96 4657996495637740913470472193
trace id 802a6813 ip raw OUTPUT rule meta l4proto udp udp dport 53 counter packets 10694 bytes 669129 nftrace set 1 (verdict continue)
trace id 802a6813 ip raw OUTPUT verdict continue
trace id 802a6813 ip raw OUTPUT
......
trace id 8c561cef ip mangle POSTROUTING mark 0x000000ff
trace id 8c561cef ip nat POSTROUTING verdict continue mark 0x000000ff
trace id 8c561cef ip nat POSTROUTING mark 0x000000ff

More please refer to https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing .