How can I log packets dropped by policy in nftables?
Well, I'm going to guess that you also want to know WHAT kind of packet is being logged at the end of your nftables chain.
I would add one line at the end of your chain, example of filter input
chain is given below:
table filter {
...
chain input {
type filter hook input priority 0; policy drop;
...
# All my rules go here
...
# Pick one that suits your needs best
counter comment "total unfiltered input packets"
log # simple detail goes into the log
log flags all # extra details go into the log
log flags all prefix "GOTCHA!: " # parseable keyword
log flags all counter # redundant but example
# drop; # this is redundant policy is drop already
}
...
}