Ce contenu n'est pas disponible dans la langue sélectionnée.
6.8. Debugging nftables rules
The
nftables
framework provides different options for administrators to debug rules and if packets match them. This section describes these options.
6.8.1. Creating a rule with a counter
To identify if a rule is matched, you can use a counter. This section describes how to create a new rule with a counter.
For a procedure that adds a counter to an existing rule, see Section 6.8.2, “Adding a counter to an existing rule”.
Prerequisites
- The chain to which you want to add the rule exists.
Procedure 6.21. Creating a rule with a counter
- Add a new rule with the
counter
parameter to the chain. The following example adds a rule with a counter that allows TCP traffic on port 22 and counts the packets and traffic that match this rule:# nft add rule inet example_table example_chain tcp dport 22 counter accept
- To display the counter values:
# nft list ruleset table inet example_table { chain example_chain { type filter hook input priority filter; policy accept; tcp dport ssh counter packets 6872 bytes 105448565 accept } }
6.8.2. Adding a counter to an existing rule
To identify if a rule is matched, you can use a counter. This section describes how to add a counter to an existing rule.
For a procedure to add a new rule with a counter, see Section 6.8.1, “Creating a rule with a counter”.
Prerequisites
- The rule to which you want to add the counter exists.
Procedure 6.22. Adding a counter to an existing rule
- Display the rules in the chain including their handles:
# nft --handle list chain inet example_table example_chain table inet example_table { chain example_chain { # handle 1 type filter hook input priority filter; policy accept; tcp dport ssh accept # handle 4 } }
- Add the counter by replacing the rule but with the
counter
parameter. The following example replaces the rule displayed in the previous step and adds a counter:# nft replace rule inet example_table example_chain handle 4 tcp dport 22 counter accept
- To display the counter values:
# nft list ruleset table inet example_table { chain example_chain { type filter hook input priority filter; policy accept; tcp dport ssh counter packets 6872 bytes 105448565 accept } }
6.8.3. Monitoring packets that match an existing rule
The tracing feature in
nftables
in combination with the nft monitor
command enables administrators to display packets that match a rule. The procedure describes how to enable tracing for a rule as well as monitoring packets that match this rule.
Prerequisites
- The rule to which you want to add the counter exists.
Procedure 6.23. Monitoring packets that match an existing rule
- Display the rules in the chain including their handles:
# nft --handle list chain inet example_table example_chain table inet example_table { chain example_chain { # handle 1 type filter hook input priority filter; policy accept; tcp dport ssh accept # handle 4 } }
- Add the tracing feature by replacing the rule but with the
meta
nftrace
set
1
parameters. The following example replaces the rule displayed in the previous step and enables tracing:# nft replace rule inet example_table example_chain handle 4 tcp dport 22 meta nftrace set 1 accept
- Use the
nft monitor
command to display the tracing. The following example filters the output of the command to display only entries that containinet example_table example_chain
:# nft monitor | grep "inet example_table example_chain" trace id 3c5eb15e inet example_table example_chain packet: iif "enp1s0" ether saddr 52:54:00:17:ff:e4 ether daddr 52:54:00:72:2f:6e ip saddr 192.0.2.1 ip daddr 192.0.2.2 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49710 ip protocol tcp ip length 60 tcp sport 56728 tcp dport ssh tcp flags == syn tcp window 64240 trace id 3c5eb15e inet example_table example_chain rule tcp dport ssh nftrace set 1 accept (verdict accept) ...
Warning
Depending on the number of rules with tracing enabled and the amount of matching traffic, thenft monitor
command can display a lot of output. Use grep or other utilities to filter the output.