1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
LIST HOOKS
~~~~~~~~~~
This shows the list of functions that have been registered for the
given protocol family, including functions that have been
registered implicitly by kernel modules such as nf_conntrack. +
[verse]
____
*list hooks* ['family']
*list hooks netdev device* 'DEVICE_NAME'
____
*list hooks* is enough to display everything that is active
on the system, however, it does currently omit hooks that are
tied to a specific network device (netdev family). To obtain
those, the network device needs to be queried by name.
Example Usage:
.List all active netfilter hooks in either the ip or ip6 stack
--------------------------------------------------------------
% nft list hooks inet
family ip {
hook prerouting {
-0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4]
-0000000200 ipv4_conntrack_in [nf_conntrack]
-0000000100 nf_nat_ipv4_pre_routing [nf_nat]
}
hook input {
0000000000 chain inet filter input [nf_tables]
+0000000100 nf_nat_ipv4_local_in [nf_nat]
[..]
--------------------------------------------------------------
The above shows a host that has nat, conntrack and ipv4 packet
defragmentation enabled.
For each hook location for the queried family a list of active hooks
using the format +
*priority* *identifier* [*module_name*]
will be shown.
The *priority* value dictates the order in which the hooks are called.
The list is sorted, the lowest number is run first.
The priority value of hooks registered by the kernel cannot be changed.
For basechains registered by nftables, this value corresponds to the
*priority* value specified in the base chain definition.
After the numerical value, information about the hook is shown.
For basechains defined in nftables this includes the table family,
the table name and the basechains name.
For hooks coming from kernel modules, the function name is used
instead.
If a *module name* is given, the hook was registered by the kernel
module with this name. You can use 'modinfo *module name*' to
obtain more information about the module.
This functionality requires a kernel built with the option +
CONFIG_NETFILTER_NETLINK_HOOK
enabled, either as a module or builtin. The module is named
*nfnetlink_hook*.
MONITOR
~~~~~~~
The monitor command allows you to listen to Netlink events produced by the
nf_tables subsystem. These are either related to creation and deletion of
objects or to packets for which *meta nftrace* was enabled. When they
occur, nft will print to stdout the monitored events in either JSON or
native nft format. +
[verse]
____
*monitor* [*new* | *destroy*] 'MONITOR_OBJECT'
*monitor* *trace*
'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset*
____
To filter events related to a concrete object, use one of the keywords in
'MONITOR_OBJECT'.
To filter events related to a concrete action, use keyword *new* or *destroy*.
The second form of invocation takes no further options and exclusively prints
events generated for packets with *nftrace* enabled.
Hit ^C to finish the monitor operation.
.Listen to all events, report in native nft format
--------------------------------------------------
% nft monitor
--------------------------------------------------
.Listen to deleted rules, report in JSON format
-----------------------------------------------
% nft -j monitor destroy rules
-----------------------------------------------
.Listen to both new and destroyed chains, in native nft format
-----------------------------------------------------------------
% nft monitor chains
-------------------------------
.Listen to ruleset events such as table, chain, rule, set, counters and quotas, in native nft format
----------------------------------------------------------------------------------------------------
% nft monitor ruleset
---------------------
.Trace incoming packets from host 10.0.0.1
------------------------------------------
% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1
% nft monitor trace
------------------------------------------
|
