|
 |
954d1a |
From 7f5707d93a62cf7474d94e038188a0a8ae2924e7 Mon Sep 17 00:00:00 2001
|
|
|
954d1a |
From: Phil Sutter <phil@nwl.cc>
|
|
|
954d1a |
Date: Wed, 19 May 2021 13:12:48 +0200
|
|
|
954d1a |
Subject: [PATCH] doc: nft.8: Extend monitor description by trace
|
|
|
954d1a |
|
|
|
954d1a |
Briefly describe 'nft monitor trace' command functionality.
|
|
|
954d1a |
|
|
|
954d1a |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
954d1a |
(cherry picked from commit 2acf8b2caea19d8abd46d475a908f8d6afb33aa0)
|
|
|
954d1a |
---
|
|
|
954d1a |
doc/nft.txt | 25 ++++++++++++++++++++++---
|
|
|
954d1a |
1 file changed, 22 insertions(+), 3 deletions(-)
|
|
|
954d1a |
|
|
|
954d1a |
diff --git a/doc/nft.txt b/doc/nft.txt
|
|
|
954d1a |
index 2642d8903787f..7b3c70d82a127 100644
|
|
|
954d1a |
--- a/doc/nft.txt
|
|
|
954d1a |
+++ b/doc/nft.txt
|
|
|
954d1a |
@@ -805,13 +805,26 @@ These are some additional commands included in nft.
|
|
|
954d1a |
MONITOR
|
|
|
954d1a |
~~~~~~~~
|
|
|
954d1a |
The monitor command allows you to listen to Netlink events produced by the
|
|
|
954d1a |
-nf_tables subsystem, related to creation and deletion of objects. When they
|
|
|
954d1a |
+nf_tables subsystem. These are either related to creation and deletion of
|
|
|
954d1a |
+objects or to packets for which *meta nftrace* was enabled. When they
|
|
|
954d1a |
occur, nft will print to stdout the monitored events in either JSON or
|
|
|
954d1a |
native nft format. +
|
|
|
954d1a |
|
|
|
954d1a |
-To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'. +
|
|
|
954d1a |
+[verse]
|
|
|
954d1a |
+____
|
|
|
954d1a |
+*monitor* [*new* | *destroy*] 'MONITOR_OBJECT'
|
|
|
954d1a |
+*monitor* *trace*
|
|
|
954d1a |
+
|
|
|
954d1a |
+'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset*
|
|
|
954d1a |
+____
|
|
|
954d1a |
|
|
|
954d1a |
-To filter events related to a concrete action, use keyword 'new' or 'destroy'.
|
|
|
954d1a |
+To filter events related to a concrete object, use one of the keywords in
|
|
|
954d1a |
+'MONITOR_OBJECT'.
|
|
|
954d1a |
+
|
|
|
954d1a |
+To filter events related to a concrete action, use keyword *new* or *destroy*.
|
|
|
954d1a |
+
|
|
|
954d1a |
+The second form of invocation takes no further options and exclusively prints
|
|
|
954d1a |
+events generated for packets with *nftrace* enabled.
|
|
|
954d1a |
|
|
|
954d1a |
Hit ^C to finish the monitor operation.
|
|
|
954d1a |
|
|
|
954d1a |
@@ -835,6 +848,12 @@ Hit ^C to finish the monitor operation.
|
|
|
954d1a |
% nft monitor ruleset
|
|
|
954d1a |
---------------------
|
|
|
954d1a |
|
|
|
954d1a |
+.Trace incoming packets from host 10.0.0.1
|
|
|
954d1a |
+------------------------------------------
|
|
|
954d1a |
+% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1
|
|
|
954d1a |
+% nft monitor trace
|
|
|
954d1a |
+------------------------------------------
|
|
|
954d1a |
+
|
|
|
954d1a |
ERROR REPORTING
|
|
|
954d1a |
---------------
|
|
|
954d1a |
When an error is detected, nft shows the line(s) containing the error, the
|
|
|
954d1a |
--
|
|
|
954d1a |
2.33.0
|
|
|
954d1a |
|