Logging traffic

From nftables wiki
Revision as of 19:58, 13 July 2016 by Pablo (talk | contribs) (Created page with "'''Note''': Full logging support is available starting Linux kernel 3.17. If you run an older kernel, you have to modprobe ipt_LOG to enable logging. You can log packets usin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Note: Full logging support is available starting Linux kernel 3.17. If you run an older kernel, you have to modprobe ipt_LOG to enable logging.

You can log packets using the log action. The most simple rule to log all incoming traffic is:

% nft add rule filter input log

A typical rule match, log and accept incoming ssh traffic looks like:

% nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH connection: \" accept

The prefix indicates the initial string that is used as prefix for the log message.

Note that nftables allows to perform two actions in one single rule, contrary to iptables which required two rules for this.

Also note that the rule is evaluated from the left to the right. So the following rule:

nft add rule filter input iif lo log tcp dport 22 accept

will log all packets coming on lo interface and not only the ones with destination port 22.

Queueing logging to userspace

As in iptables, you can use the existing nflog infrastructure to send log messages to ulogd2 or your custom userspace application based on libnetfilter_log.

To do so, you only have to indicate the nflog group:

% nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH connection: \" group 0 accept

Then, run the example test application:

libnetfilter_log/utils% ./nfulnl_test

And you'll start seeing log messages for each new ssh connection.