Note: Full logging support is available starting Linux kernel 3.17. If you run an older kernel, you have to modprobe ipt_LOG to enable logging.
You can log packets using the log action. The most simple rule to log all incoming traffic is:
% nft add rule filter input log
A typical rule match, log and accept incoming ssh traffic looks like:
% nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH connection: \" accept
The prefix indicates the initial string that is used as prefix for the log message.
Note that nftables allows to perform two actions in one single rule, contrary to iptables which required two rules for this.
Also note that the rule is evaluated from the left to the right. So the following rule:
nft add rule filter input iif lo log tcp dport 22 accept
will log all packets coming on lo interface and not only the ones with destination port 22.
Queueing logging to userspace
To do so, you only have to indicate the nflog group:
% nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH connection: \" group 0 accept
Then, run the example test application:
And you'll start seeing log messages for each new ssh connection.