iptables-trace is an eBPF enhanced iptables TRACE-alternative iptables TRACE.
It requires 5.2+ kernel to run eBPF CO-RE.
Meanwhile, grep CONFIG_NETFILTER_XT_TARGET_TRACE /boot/config-$(uname -r)
should be y to run kernel module.
It's because eBPF is unable to modify skb->nf_trace and struct pt_regs. But kernel module has the ability.
In hence, it's to modify skb->nf_trace and struct pt_regs in kernel module, then run bpf progs in kernel module.
- Run the
kprobebpf prog onipt_do_table/ip6t_do_table. skb->nf_trace = 1;to runnf_log_tracefunction later.- Run the
kprobebpf prog onnf_log_trace. regs->si = 0;hijack and do not run thenf_log_trace()actually.- Run the
kretprobebpf prog onipt_do_table/ip6t_do_table.
Currently, it is only able to run on x86, not others like arm.
It's a little easy to update it to run on arm.
- Run on arm64.
# git clone https://github.com/Asphaltt/iptables-trace.git
# cd iptables-trace
# make
# ./iptables-trace -c 20
TIME SKB NETWORK_NS PID CPU INTERFACE DEST_MAC IP_LEN PKT_INFO IPTABLES_INFO
[04:53:15] [0xffff8df402e052e8] [4026531840] 6888 3 00:00:00:00:00:00 264 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e052e8] [4026531840] 6888 3 00:00:00:00:00:00 264 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=77.425µs]
[04:53:15] [0xffff8df50291d200] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291d200] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=36.942µs]
[04:53:15] [0xffff8df402e050e8] [4026531840] 8432 1 87:ab:0d:ea:d5:19 88 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e050e8] [4026531840] 8432 1 87:ab:0d:ea:d5:19 88 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=40.266µs]
[04:53:15] [0xffff8df402e04ce8] [4026531840] 6888 3 00:00:00:00:00:00 328 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e04ce8] [4026531840] 6888 3 00:00:00:00:00:00 328 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=84.42µs]
[04:53:15] [0xffff8df50291db00] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291db00] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=38.611µs]
[04:53:15] [0xffff8df50291d000] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291d000] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=40.887µs]
[04:53:15] [0xffff8df50291d900] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291d900] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=48.685µs]
[04:53:15] [0xffff8df402e048e8] [4026531840] 6888 3 00:00:00:00:00:00 328 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e048e8] [4026531840] 6888 3 00:00:00:00:00:00 328 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=126.368µs]
[04:53:15] [0xffff8df50291df00] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291df00] [4026531840] 8432 1 enp0s8 08:00:27:39:de:94 52 T_PSH:192.168.1.12:53030->192.168.1.138:22 iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=38.087µs]
[04:53:15] [0xffff8df402e050e8] [4026531840] 6888 3 87:ab:0d:ea:d5:19 1324 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e050e8] [4026531840] 6888 3 87:ab:0d:ea:d5:19 1324 T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030 iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=40.68µs]The rulenum in ipttrace is the rule number in iptables -nvL --line-numbers.
GPL-3.0 license.