I'm surprised nobody has mentioned the TRACE option. It's used in the 'raw' table, applied to the PREROUTING chain, I believe. Every packet that matches/is marked by the TRACE option gets logged as it traverses every subsequent rule that it matches. I believe it also shows when enters and exits a chain, regardless of matching rules within it. It's perfect for tracing initial connection packets (e.g. SYN-only) through all your filters and nat chains. It can generate LOTS of logging traffic if you're not careful. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
