Skip to main content
The nft-dropmon profile is similar to the dropmon profile, but specifically designed for netfilter drops. It provides detailed information about which nftables rules are dropping packets.

What it enables

Probes

  • kprobe:__nft_trace_packet/stack - Traces the internal netfilter tracing function with stack trace collection

Collectors

The nft-dropmon profile enables collectors specific to netfilter analysis:
  • nft - Netfilter/nftables verdict and rule information
  • skb - Socket buffer metadata (packet headers, addresses)
  • dev - Device/interface information
  • ns - Network namespace information

Configuration

The profile is configured to filter for drop verdicts only:
  • nft_verdicts: drop - Only capture events where the verdict is “drop”
This profile requires --allow-system-changes or compatible netfilter configuration to enable packet tracing. See retis collect --help for more details.

Usage

Basic collection

retis -p nft-dropmon collect --allow-system-changes

Collect and store for later analysis

retis -p nft-dropmon collect -o --allow-system-changes

Generate pcap from stored events

retis -p nft-dropmon pcap -o retis.pcap
The same profile can be used with both the collect and pcap commands, making it easy to analyze firewall drops in Wireshark.

Use cases

  • Firewall debugging: Understanding why legitimate traffic is being blocked
  • Policy validation: Verifying nftables rules work as intended
  • Security analysis: Identifying blocked attack attempts
  • Rule optimization: Finding which rules are causing drops

Example output

The nft-dropmon profile captures detailed netfilter information: 
3443313082998 [swapper/0] 0 [k] __nft_trace_packet
    __nft_trace_packet+0x1
    nft_do_chain+0x3ef
    nft_do_chain_inet+0x54
    nf_hook_slow+0x42
    ip_local_deliver+0xd0
    ip_sublist_rcv_finish+0x7e
    ip_sublist_rcv+0x186
    ip_list_rcv+0x13d
    __netif_receive_skb_list_core+0x29d
    netif_receive_skb_list_internal+0x1d1
    napi_complete_done+0x72
    virtnet_poll+0x3ce
    __napi_poll+0x28
    net_rx_action+0x2a4
    __do_softirq+0xd1
    __irq_exit_rcu+0xbe
    common_interrupt+0x86
    asm_common_interrupt+0x26
    pv_native_safe_halt+0xf
    default_idle+0x9
    default_idle_call+0x2c
    do_idle+0x226
    cpu_startup_entry+0x1d
    __pfx_kernel_init+0x0
    arch_call_rest_init+0xe
    start_kernel+0x71e
    x86_64_start_reservations+0x18
    x86_64_start_kernel+0x96
    __pfx_verify_cpu+0x0
  if 2 (eth0) rxif 2 172.16.42.1.52294 > 172.16.42.2.8080 ttl 64 tos 0x0 id 37968 off 0 [DF] len 60 proto TCP (6) flags [S] seq 1971640626 win 64240
  table firewalld (1) chain filter_IN_FedoraServer (202) handle 215 drop
In this example:
  • A TCP SYN packet from 172.16.42.1:52294 to 172.16.42.2:8080 was dropped
  • The drop occurred in the firewalld table, chain filter_IN_FedoraServer
  • The rule handle is 215, making it easy to identify the exact rule
  • The stack trace shows the packet path through netfilter

Correlating with nftables rules

You can use the handle number from the output to find the exact rule: 
$ nft -a list table inet firewalld
...
chain filter_IN_FedoraServer { # handle 202
...
    jump filter_INPUT_POLICIES_post # handle 214
    meta l4proto { icmp, ipv6-icmp } accept # handle 273
    reject with icmpx admin-prohibited # handle 215         <- This one
}
...
The handle 215 corresponds to a reject rule, explaining why the packet was dropped.

Understanding the output

Verdict information: Shows which table, chain, and rule (by handle) made the drop decision. Stack trace: Reveals the netfilter hook point where the packet was evaluated. Packet details: Full packet headers help understand what traffic is being blocked. Rule handle: Direct reference to the nftables rule for easy identification.

When to use nft-dropmon

Choose the nft-dropmon profile when:
  • You’re using nftables (not iptables-legacy)
  • You need to debug firewall rules
  • Packets are being blocked unexpectedly
  • You want to audit which rules are actively dropping traffic
  • You need to optimize or troubleshoot netfilter policies

Build docs developers (and LLMs) love

Get started for freeTalk to us