Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
inbox:firewall:netfilter_iptables:netfilter_management [2018/08/22 17:56] – created dturvenedocs:guide-user:firewall:netfilter_iptables:netfilter_management [2022/09/09 21:49] (current) – Use nftables tracing to debug fw4 rules (22.03 and later) zorun
Line 1: Line 1:
-====== netfilter Management ====== +====== Netfilter Management ====== 
-This section discusses techniques and tools to manage fw3 and netfilter rules.+This section discusses techniques and tools to manage fw3, fw4 and netfilter rules.
  
-Almost all the issues with the firewall can gleaned from inspecting the+Almost all the issues with the firewall can be gleaned from inspecting the
 netfilter tables and analyzing their relationships. netfilter tables and analyzing their relationships.
  
-===== Inspecting tables using fw3 ===== +{{section>meta:infobox:howto_links#fw3-fw4&noheader&nofooter&noeditbutton}} 
-The [[inbox:firewall:firewall3:overview|fw3 application]] is a good command+ 
 +===== Inspecting tables using fw4 (22.03 and later) ===== 
 +The [[docs:guide-user:firewall:overview|fw4 application]] is the nftables frontend used in OpenWrt. 
 + 
 +''fw4 print'' dumps the nftables configuration that is built by fw4 and passed to nftables. 
 +It contains slightly higher-level code than the raw nftables state: fw4 uses variables, include files... 
 + 
 +When debugging rules emitted by fw4, this is a good starting point. 
 + 
 +===== Inspecting tables using nft (22.03 and later) ===== 
 + 
 +''nft list ruleset'' dumps the full nftables configuration from the kernel. This dump mixes data from different sources: 
 + 
 +  * rules generated by fw4 
 +  * rules included from external files (''/etc/nftables.d/*.nft'' or ''/usr/share/nftables.d/''
 +  * rules added manually through the ''nft'' command 
 + 
 +===== Use nftables tracing to debug fw4 rules (22.03 and later) ===== 
 + 
 +Somethings, the nftables ruleset may exhibit unexpected behaviour, such as a packet being dropped while it should not. In that case, **tracing** can help: it allows to print all rules traversed by a given packet. 
 + 
 +See https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing for the full explanation. The following is simply an adaptation of this wiki page to the fw4 ruleset. 
 + 
 +You first need to add a tracing chain: 
 + 
 +  nft add chain inet fw4 trace_chain { type filter hook prerouting priority -301\; } 
 + 
 +Then add one or more rules to match packets you are interested in, such as: 
 + 
 +  nft add rule inet fw4 trace_chain ip saddr 203.0.113.42 meta nftrace set 1 
 +  nft add rule inet fw4 trace_chain udp dport 50014 meta nftrace set 1 
 + 
 +Finally, you can look at the result of the trace (ideally in another terminal): 
 + 
 +  nft monitor trace 
 + 
 +Beware, each traced packet will generate a huge amount of output! 
 + 
 +To stop the tracing, remove the chain: 
 + 
 +  nft delete chain inet fw4 trace_chain 
 +===== Inspecting tables using fw3 (21.02 and earlier) ===== 
 +The [[docs:guide-user:firewall:overview|fw3 application]] is a good command
 line interface to see all the netfilter rules. line interface to see all the netfilter rules.
  
Line 16: Line 58:
 dump **could** be run as a script to recreate the firewall rule set. dump **could** be run as a script to recreate the firewall rule set.
  
-===== Inspecting tables using iptables =====+===== Inspecting tables using iptables (21.02 and earlier) =====
 ''fw3 print'' is the main utility to inspect iptable rules.  Additionally the ''fw3 print'' is the main utility to inspect iptable rules.  Additionally the
 ''iptable'' command can be used to sort the rules differently and retrieve ''iptable'' command can be used to sort the rules differently and retrieve
Line 68: Line 110:
  
 To fix this, append your LOG rule to the ''forwarding_rule'' chain. To fix this, append your LOG rule to the ''forwarding_rule'' chain.
 +
 +===== Conntrack Diagnostics =====
 +Many netfilter features, especially NAT, depend on the ''nf_conntrack'' modules to track
 +IP connections between the WAN-side and the LAN-side.  Access to the conntrack tables can be
 +invaluable when debugging traffic rules.  The kernel presents the table
 +through the [[https://en.wikipedia.org/wiki/Procfs|procfs filesystem]]
 +at ''/proc/net/nf_conntrack''.
 +
 +Here is a typical conntrack entry:
 +<file>
 +ipv4     2 tcp      6 4088 ESTABLISHED src=192.168.3.171 dst=192.168.10.175 sport=33284 dport=22 packets=24 bytes=1248 src=192.168.10.175 dst=192.168.3.171 sport=22 dport=33284 packets=24 bytes=1248 [ASSURED] mark=0 use=2
 +</file>
 +This is a ipv4 tcp session on port=22 (SSH).  It shows a connection from STA1 to STA2 and then the reverse mapping.
 +
 +:!: The nf_conntrack parameters can be tuned using parameters in the sysfs
 +filesystem under ''/proc/sys/net/netfilter'' This is almost never desirable. 
 +
  
  • Last modified: 2022/09/09 21:49
  • by zorun