On Tue, Jan 12, 2021, at 3:01 PM, Rafael David Tinoco wrote: > > > Ha, that's weird. > > > > > > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0) > > > <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393) > > > > > > here... kernel 5.8.0-26-generic and latest libnetfilter-log, using: > > > > > > ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT > > > ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT > > > ip6tables-legacy -t raw -A OUTPUT -j TRACE > > > ip6tables-legacy -t raw -A PREROUTING -j TRACE > > > > ? You need a -j NFLOG rule. -j TRACE might not even use netlink events > > but raw printk() when used with classic iptables (rather than > > iptables-nft, where this maps to 'meta nftrace set 1'. > > -j TRACE uses netlink communication for IPv4, why would it not use for > IPv6 if my nf_log: > > $ sudo cat /proc/net/netfilter/nf_log > 0 NONE (nfnetlink_log) > 1 NONE (nfnetlink_log) > 2 nfnetlink_log (nfnetlink_log) > 3 NONE (nfnetlink_log) > 4 NONE (nfnetlink_log) > 5 NONE (nfnetlink_log) > 6 NONE (nfnetlink_log) > 7 NONE (nfnetlink_log) > 8 NONE (nfnetlink_log) > 9 NONE (nfnetlink_log) > 10 nfnetlink_log (nfnetlink_log) > 11 NONE (nfnetlink_log) > 12 NONE (nfnetlink_log) > > has proto 2 and 10 to use nfnetlink_log.. and, from kernel: > > static struct nf_logger nfulnl_logger __read_mostly = { > .name = "nfnetlink_log", > .type = NF_LOG_TYPE_ULOG, > .logfn = nfulnl_log_packet, > .me = THIS_MODULE, > }; > > nfnetlink_log shows me that the function nfulnl_log_packet() is the one > that builds the netlink packet to userland. So, if it works for IPv4, > why would it not work for IPv6 ? > > Note: My intent is to have a single rule that gives me one netlink msg > to each of the traced events (instead of adding a bunch of NFLOG rules > working each one as triggers for the events, which I also could). As a quick side note, with the same IPv4 rules: tcp 6 300 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED] log received (prefix="TRACE: raw:PREROUTING:policy:3 " hw=0x0800 hook=0 mark=0) <log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:PREROUTING:policy:3 </prefix><hook>0</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=378) log received (prefix="TRACE: filter:INPUT:policy:1 " hw=0x0800 hook=1 mark=0) <log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: filter:INPUT:policy:1 </prefix><hook>1</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=376) ip_conntrack_info: ORIGINAL / ESTABLISHED tcp 6 432000 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED] the conntrack feature is added to the netlink log msg.