iptables -t raw [conditions] -j TRACE is not logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Host description

distro: gentoo 2007.0 amd64
kernel: linux 2.6.23-gentoo-r8
ntfltr: iptables v1.4.0
logger: syslog-ng 2.0.6

Problem description
iptables TRACE target never gives any output through ipt_LOG and syslog-ng

I have successfully configured masquerading on the gateway with stuff
like browsing, counter-strike:source, azureus and samba/nfs working
behind it. To account for my lack in experience with netfilter I've
set up logging through both ipt_LOG and ipt_ULOG to monitor dropped
and rejected traffic. This has gotten me pretty far, but now I'm
stuck. That is, I need more diagnostics/debugging over the netfilter
rules.

I installed the latest iptables package which supports the -j TRACE
target. The kernel has support for this too. I can actually run

iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE

without errors about illegal/missing chains/targets/matches.
Logging through syslog-ng and ulogd works because I see stuff like

May 20 04:07:46 raptor a   ping  IN=eth0 OUT= MAC=00  SRC=10.3.0.1
DST=10.3.0.5 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=1906 SEQ=5
May 20 05:33:10 raptor a   loop  IN=lo OUT= MAC=00  SRC=10.3.0.5
DST=10.3.0.5 LEN=80 TOS=00 PREC=0xC0 TTL=64 ID=16564 PROTO=ICMP TYPE=3
CODE=3

in my ulogd [LOGEMU] file and

05 20 04:06:43 tryggve kernel TRACE target: only valid in raw table, not filter
05 20 04:08:20 tryggve kernel a  Lping IN= OUT=eth1 SRC=10.3.0.1
DST=10.3.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=1906 SEQ=1

in /var/log/messages. (Dont mind the TRACE error above, I was using -t filter.)
The expected behavior of -j TRACE is do dump iptables rules a given
packet goes through to syslog. Surprisingly i get nothing even when
specifying port 80 traffic to be TRACEd.


If anyone has made this work for them I am very curious as to how they
did it. If you want to have a look at my kernel .config or
syslog-ng.conf or anything else on my system don't hesitate to ask,
but I can't imagine the problem is rooted in the daemon configs.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux