nftables - how to log only specific type of traffic
My nftables.conf file looks like this.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# allow connecting to loopback interface
iifname lo accept log;
ct state established,related accept;
policy drop;
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
When I restart nftables service I get an error. Obviously it's not the correct way to do it.
What would be the correct way of logging only connections to loopback interface and in which file is it logged?
EDIT:
How to error looks in journalctl after I restart the service:
sij 23 14:40:29 dell nft[3998]: /etc/nftables.conf:10:21-23: Error: Statement after terminal statement has no effect
sij 23 14:40:29 dell nft[3998]: iifname lo accept log;
sij 23 14:40:29 dell nft[3998]: ~~~~~~ ^^^
sij 23 14:40:29 dell systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
Actually the order is important when taking multiple actions in one rule.
log must come before accept, therefore the config file should look like this:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# allow connecting to loopback interface
iifname lo log accept;
ct state established,related accept;
policy drop;
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
You can also specify which flags to log and prefix that will be written in the log:
iifname lo log flags all prefix "[nftables] - loopback "