For anyone who has had their eyes crossed when looking at nftrace output, I made an nftables storyteller that provides simpler output. Hopefully someone will find this useful: GitHub - l0crian1/nftrace-story · GitHub
Example:
Trace IDs
python3 nftrace_story.py --format markdown --list-ids test.trace
- 546800e1 | tcp 192.168.2.21:29670 → 10.0.101.214:22 | packets=8 | events=31 | iif=“eth0”
- 709a63bd | udp 192.168.0.50:49697 → 1.1.1.1:53 | packets=15 | events=55 | iif=“eth1” | oif=“eth0”
- 8506763b | udp 192.168.0.50:49697 → 1.1.1.1:53 | packets=15 | events=55 | iif=“eth1” | oif=“eth0”
- 0476221a | udp 1.1.1.1:53 → 10.0.101.214:49697 | packets=10 | events=37 | iif=“eth0” | oif=“eth1”
- 333a3b9f | udp 1.1.1.1:53 → 10.0.101.214:49697 | packets=10 | events=37 | iif=“eth0” | oif=“eth1”
- be21795e | tcp 192.168.0.50:56472 → 34.117.59.81:80 | packets=35 | events=130 | iif=“eth1” | oif=“eth0”
- f7f1f1bc | tcp 34.117.59.81:80 → 10.0.101.214:56472 | packets=20 | events=74 | iif=“eth0” | oif=“eth1”
- 384cf505 | tcp 192.168.0.50:56472 → 34.117.59.81:80 | packets=30 | events=111 | iif=“eth1” | oif=“eth0”
Trace 384cf505
python3 nftrace_story.py --format markdown --id 384cf505 --no-timeline test.trace
Story
-
tcp 192.168.0.50:56472 → 34.117.59.81:80 arrived on interface “eth1”.
-
Routing selected egress interface “eth0” (forwarding path).
-
TTL was decremented by 1 at L375 (typical for forwarding).
-
It was last observed near the FORWARD hook (L604).
-
Final disposition: ACCEPT (L604).
-
Packet headers changed at L342 (possible NAT/rewrite).
-
Tables visited:
trace: preroutingvyos_conntrack: PREROUTING, VYOS_CT_IGNORE, FW_CONNTRACK, NAT_CONNTRACK, PREROUTING_HELPER, VYOS_CT_HELPERvyos_filter: VYOS_PREROUTING_raw, VYOS_FORWARD_filtervrf_zones: vrf_zones_ct_inraw: VYOS_PREROUTING_HOOK, vyos_rpfilter, vyos_global_rpfilter, VYOS_TCP_MSSmangle: FORWARD
-
Flow: tcp 192.168.0.50:56472 → 34.117.59.81:80
-
Ingress: received on
"eth1" -
Egress: forwarded out
"eth0" -
TTL changes: L375: 64→63, L486: 63→64, L523: 64→63, L568: 63→64, L597: 64→63