Provided by: iptables_1.8.10-3ubuntu2_amd64 bug

NAME
       xtables-monitor — show changes to rule set and trace-events


SYNOPSIS
       xtables-monitor [-t] [-e] [-4||-6]


DESCRIPTION
       xtables-monitor  is  used to monitor changes to the ruleset or to show rule evaluation events for packets
       tagged using the TRACE target.  xtables-monitor will run until the user aborts  execution,  typically  by
       using CTRL-C.


OPTIONS
       -e, --event

       Watch for updates to the rule set.
              Updates  include  creation of new tables, chains and rules and the name of the program that caused
              the rule update.

       -t, --trace
              Watch for trace events generated by packets that have been tagged using the TRACE target.

       -4     Restrict output to IPv4.

       -6     Restrict output to IPv6.


EXAMPLE OUTPUT
       xtables-monitor --trace

               1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp -j TRACE
               2 PACKET: 0 fc475095  IN=lo  LL=0x304  0000000000000000000000000800  SRC=127.0.0.1  DST=127.0.0.1
              LEN=84 TOS=0x0 TTL=64 ID=38349DF
               3 TRACE: 2 fc475095 raw:PREROUTING:return:
               4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
               5 TRACE: 2 fc475095 filter:INPUT:return:
               6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
               7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp -j TRACE

       The  first  line  shows  a packet entering rule set evaluation.  The protocol number is shown (AF_INET in
       this case), then a packet identifier number that allows one to correlate messages coming  from  rule  set
       evaluation  of  this  packet.  After this, the rule that was matched by the packet is shown.  This is the
       TRACE rule that turns on tracing events for this packet.

       The second line dumps information about the packet. Incoming interface and packet headers such as  source
       and destination addresses are shown.

       The  third  line  shows  that  the  packet  completed traversal of the raw table PREROUTING chain, and is
       returning, followed by use of the chain policy to make accept/drop decision  (the  example  shows  accept
       being  applied).   The  fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in
       the filter table's INPUT chain matched the packet.  It then got DROPPED by the policy of the INPUT table,
       as shown by line six.  The last line shows another packet arriving -- the packet id is different.

       When using the TRACE target, it is usually a good idea to only select  packets  that  are  relevant,  for
       example via
       iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE

       xtables-monitor --event
                1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle 444
                2  EVENT: # nft: ip filter INPUT use 2 type filter hook input prio 0 policy drop packets 0 bytes
              0
                3 EVENT: # nft: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets  0
              bytes 0
                4  EVENT:  #  nft: ip filter OUTPUT use 0 type filter hook output prio 0 policy accept packets 0
              bytes 0
                5 EVENT: -4 -t filter -N TCP
                6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
                7 EVENT: -4 -t filter -A TCP -p tcp -m multiport --dports 80,443 -j ACCEPT
                8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP
                9 EVENT: -4 -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
               10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore

       This example shows event monitoring.  Line one shows creation of a table (filter in this case),  followed
       by  three  base  hooks INPUT, FORWARD and OUTPUT.  The iptables-nftables tools all create tables and base
       chains automatically when needed, so this is expected when a table was not yet initialized or when it  is
       re-created  from  scratch  by  iptables-nftables-restore.  Line five shows a new user-defined chain (TCP)
       being added, followed by addition a few rules. the last line shows that  a  new  ruleset  generation  has
       become active, i.e., the rule set changes are now active.  This also lists the process id and the program
       name.


LIMITATIONS
       xtables-monitor  only  works  with rules added using iptables-nftables, rules added using iptables-legacy
       cannot be monitored.


BUGS
       Should be reported or by sending email to  netfilter-devel@vger.kernel.org  or  by  filing  a  report  on
       https://bugzilla.netfilter.org/.


SEE ALSO
       iptables(8), xtables(8), nft(8)

iptables 1.8.10                                                                               XTABLES-MONITOR(8)