以防还有人不会逐规则追踪 iptables/netfilteriptables --version 分类讨论1. legacy

以防还有人不会逐规则追踪 iptables/netfilter

iptables --version 分类讨论

1. legacy
https://github.com/akerouanton/iptables-tracer 好用极了，作者 Albin 是 docker (moby) 的维护者

支持 pcap filter

$ iptables-tracer -filter 'src port 19233 and tcp[tcpflags]=tcp-syn'
INFO[0000] Waiting for trace events...                  
  mangle PREROUTING NFMARK=0x0 IN=lxcaa0969e88c0c (changed by last rule)
    MATCH RULE (#1): -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle
    => CILIUM_PRE_mangle
  mangle CILIUM_PRE_mangle NFMARK=0x0 
    => RETURN
  mangle PREROUTING NFMARK=0x0 
    DEFAULT POLICY
    => ACCEPT
  mangle FORWARD NFMARK=0x0 IN=lxcaa0969e88c0c OUT=cilium_host (changed by last rule)
    DEFAULT POLICY
    => ACCEPT
  filter FORWARD NFMARK=0x0 
    MATCH RULE (#1): -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD
    => CILIUM_FORWARD
  filter CILIUM_FORWARD NFMARK=0x0 
    MATCH RULE (#2): -m mark --mark 0xe00/0xf00 -m comment --comment "exclude xfrm marks from filter CILIUM_FORWARD chain" -j ACCEPT
    => ACCEPT
  mangle POSTROUTING NFMARK=0x0 
    MATCH RULE (#1): -m comment --comment "cilium-feeder: CILIUM_POST_mangle" -j CILIUM_POST_mangle
    => CILIUM_POST_mangle
  mangle CILIUM_POST_mangle NFMARK=0x0 
    => RETURN
  mangle POSTROUTING NFMARK=0x0 
    DEFAULT POLICY
    => ACCEPT

2. nf_tables

nft add table inet tracer
nft add chain inet tracer prerouting { type filter hook prerouting priority 0\; }
nft add rule inet tracer prerouting tcp dport 19233 trace
nft monitor trace

虽然 nft 不直接接受 pcap filter，但是所支持的规则语法足够强大已经够用，比如 dst port 19233 and tcp[tcpflags]&(tcp-syn|tcp-ack)=(tcp-syn|tcp-ack) 可以写成

$ nft -i
nft> add rule inet tracer prerouting tcp dport 19233 tcp flags & (syn|ack) == (syn|ack) meta nftrace set 1

输出格式也不错

trace id c2c841a4 inet tracer prerouting packet: iif "lxc7c0529d168af" ether saddr ae:85:96:7e:46:c0 ether daddr 1e:7b:85:ee:b8:f0 ip saddr 10.244.2.99 ip daddr 10.244.3.192 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 8080 tcp dport 19233 tcp flags == 0x12 tcp window 64437 
trace id c2c841a4 inet tracer prerouting rule tcp dport 19233 tcp flags syn,ack / syn,ack meta nftrace set 1 (verdict continue)
trace id c2c841a4 inet tracer prerouting policy accept meta mark 0xc9f13e00 
trace id c2c841a4 ip filter FORWARD packet: iif "lxc7c0529d168af" oif "cilium_host" ether saddr ae:85:96:7e:46:c0 ether daddr 1e:7b:85:ee:b8:f0 ip saddr 10.244.2.99 ip daddr 10.244.3.192 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 0 ip length 60 tcp sport 8080 tcp dport 19233 tcp flags == 0x12 tcp window 64437 
trace id c2c841a4 ip filter FORWARD rule  counter packets 2715 bytes 164136 jump KUBE-FORWARD (verdict jump KUBE-FORWARD)
trace id c2c841a4 ip filter KUBE-FORWARD rule ct state invalid counter packets 0 bytes 0 drop (verdict drop)