On Tue, Jan 12, 2021, at 3:01 PM, Rafael David Tinoco wrote:
> > > Ha, that's weird.
> > >
> > > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > > <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
> > >
> > > here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
> > >
> > > ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -A OUTPUT -j TRACE
> > > ip6tables-legacy -t raw -A PREROUTING -j TRACE
> >
> > ? You need a -j NFLOG rule. -j TRACE might not even use netlink events
> > but raw printk() when used with classic iptables (rather than
> > iptables-nft, where this maps to 'meta nftrace set 1'.
>
> -j TRACE uses netlink communication for IPv4, why would it not use for
> IPv6 if my nf_log:
>
> $ sudo cat /proc/net/netfilter/nf_log
> 0 NONE (nfnetlink_log)
> 1 NONE (nfnetlink_log)
> 2 nfnetlink_log (nfnetlink_log)
> 3 NONE (nfnetlink_log)
> 4 NONE (nfnetlink_log)
> 5 NONE (nfnetlink_log)
> 6 NONE (nfnetlink_log)
> 7 NONE (nfnetlink_log)
> 8 NONE (nfnetlink_log)
> 9 NONE (nfnetlink_log)
> 10 nfnetlink_log (nfnetlink_log)
> 11 NONE (nfnetlink_log)
> 12 NONE (nfnetlink_log)
>
> has proto 2 and 10 to use nfnetlink_log.. and, from kernel:
>
> static struct nf_logger nfulnl_logger __read_mostly = {
> .name = "nfnetlink_log",
> .type = NF_LOG_TYPE_ULOG,
> .logfn = nfulnl_log_packet,
> .me = THIS_MODULE,
> };
>
> nfnetlink_log shows me that the function nfulnl_log_packet() is the one
> that builds the netlink packet to userland. So, if it works for IPv4,
> why would it not work for IPv6 ?
>
> Note: My intent is to have a single rule that gives me one netlink msg
> to each of the traced events (instead of adding a bunch of NFLOG rules
> working each one as triggers for the events, which I also could).
As a quick side note, with the same IPv4 rules:
tcp 6 300 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED]
log received (prefix="TRACE: raw:PREROUTING:policy:3 " hw=0x0800 hook=0 mark=0)
<log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:PREROUTING:policy:3 </prefix><hook>0</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=378)
log received (prefix="TRACE: filter:INPUT:policy:1 " hw=0x0800 hook=1 mark=0)
<log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: filter:INPUT:policy:1 </prefix><hook>1</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=376)
ip_conntrack_info: ORIGINAL / ESTABLISHED
tcp 6 432000 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED]
the conntrack feature is added to the netlink log msg.
