|
|
0341a5 |
From 5a735f26b0c6617b2851a7399c8ad118e89deba8 Mon Sep 17 00:00:00 2001
|
|
|
0341a5 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
0341a5 |
Date: Mon, 12 Jul 2021 16:34:38 +0200
|
|
|
0341a5 |
Subject: [PATCH] doc: nft.8: Extend monitor description by trace
|
|
|
0341a5 |
|
|
|
0341a5 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820365
|
|
|
0341a5 |
Upstream Status: nftables commit 2acf8b2caea19
|
|
|
0341a5 |
|
|
|
0341a5 |
commit 2acf8b2caea19d8abd46d475a908f8d6afb33aa0
|
|
|
0341a5 |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
0341a5 |
Date: Wed May 19 13:12:48 2021 +0200
|
|
|
0341a5 |
|
|
|
0341a5 |
doc: nft.8: Extend monitor description by trace
|
|
|
0341a5 |
|
|
|
0341a5 |
Briefly describe 'nft monitor trace' command functionality.
|
|
|
0341a5 |
|
|
|
0341a5 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
0341a5 |
---
|
|
|
0341a5 |
doc/nft.txt | 25 ++++++++++++++++++++++---
|
|
|
0341a5 |
1 file changed, 22 insertions(+), 3 deletions(-)
|
|
|
0341a5 |
|
|
|
0341a5 |
diff --git a/doc/nft.txt b/doc/nft.txt
|
|
|
0341a5 |
index abb9260..9cc35ee 100644
|
|
|
0341a5 |
--- a/doc/nft.txt
|
|
|
0341a5 |
+++ b/doc/nft.txt
|
|
|
0341a5 |
@@ -734,13 +734,26 @@ These are some additional commands included in nft.
|
|
|
0341a5 |
MONITOR
|
|
|
0341a5 |
~~~~~~~~
|
|
|
0341a5 |
The monitor command allows you to listen to Netlink events produced by the
|
|
|
0341a5 |
-nf_tables subsystem, related to creation and deletion of objects. When they
|
|
|
0341a5 |
+nf_tables subsystem. These are either related to creation and deletion of
|
|
|
0341a5 |
+objects or to packets for which *meta nftrace* was enabled. When they
|
|
|
0341a5 |
occur, nft will print to stdout the monitored events in either JSON or
|
|
|
0341a5 |
native nft format. +
|
|
|
0341a5 |
|
|
|
0341a5 |
-To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'. +
|
|
|
0341a5 |
+[verse]
|
|
|
0341a5 |
+____
|
|
|
0341a5 |
+*monitor* [*new* | *destroy*] 'MONITOR_OBJECT'
|
|
|
0341a5 |
+*monitor* *trace*
|
|
|
0341a5 |
+
|
|
|
0341a5 |
+'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset*
|
|
|
0341a5 |
+____
|
|
|
0341a5 |
+
|
|
|
0341a5 |
+To filter events related to a concrete object, use one of the keywords in
|
|
|
0341a5 |
+'MONITOR_OBJECT'.
|
|
|
0341a5 |
|
|
|
0341a5 |
-To filter events related to a concrete action, use keyword 'new' or 'destroy'.
|
|
|
0341a5 |
+To filter events related to a concrete action, use keyword *new* or *destroy*.
|
|
|
0341a5 |
+
|
|
|
0341a5 |
+The second form of invocation takes no further options and exclusively prints
|
|
|
0341a5 |
+events generated for packets with *nftrace* enabled.
|
|
|
0341a5 |
|
|
|
0341a5 |
Hit ^C to finish the monitor operation.
|
|
|
0341a5 |
|
|
|
0341a5 |
@@ -764,6 +777,12 @@ Hit ^C to finish the monitor operation.
|
|
|
0341a5 |
% nft monitor ruleset
|
|
|
0341a5 |
---------------------
|
|
|
0341a5 |
|
|
|
0341a5 |
+.Trace incoming packets from host 10.0.0.1
|
|
|
0341a5 |
+------------------------------------------
|
|
|
0341a5 |
+% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1
|
|
|
0341a5 |
+% nft monitor trace
|
|
|
0341a5 |
+------------------------------------------
|
|
|
0341a5 |
+
|
|
|
0341a5 |
ERROR REPORTING
|
|
|
0341a5 |
---------------
|
|
|
0341a5 |
When an error is detected, nft shows the line(s) containing the error, the
|
|
|
0341a5 |
--
|
|
|
0341a5 |
2.31.1
|
|
|
0341a5 |
|