iptables TRACE No chain/target/match by that name

pablochacin asked:

I’m debugging the iptables for a kvm VM running a Buildroot image.When I try to set the following TRACE rule I get the error iptables: No chain/target/match by that name

sudo iptables -t raw -A OUTPUT -p tcp --destination --dport 8443 -j TRACE

If I instead enable the LOG rule it works, and the packets are logged, but I need to check which rule, if any, is dropping the packages.

Update: Information about the environment on which the problem occurs (inside the VM):

$ uname -a
  Linux minikube 4.15.0 #1 SMP Sat Dec 8 00:26:02 UTC 2018 x86_64 GNU/Linux
  $ cat /proc/version 
  Linux version 4.15.0 ([email protected]) (gcc version 7.3.0 (Buildroot 2018.05)) #1 SMP Sat Dec 8 00:26:02 UTC 2018

My answer:

The problem here is that the iptables TRACE target requires the nf_log_ipv4 (or nf_log_ipv6) kernel module. If the module is present, it gets loaded automatically. However, minikube’s kernel build has only a limited set of netfilter modules, so what you can do with iptables inside minikube is limited to the functionality provided by the existing modules.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.