If nftables is bringing a lot of changes on user side, this is also true in the logging area.
There is now only one single keyword for logging:
log and this target is using the Netfilter logging framework.
A corollary of that is that why you may not see any log messages even if a rule with
log is matching because the Netfilter logging framework has to be configured.
Netfilter logging framework
The Netfilter logging framework is a generic way of logging used in Netfilter components. This framework is implemented in two different
- xt_LOG: printk based logging, outputting everything to syslog (same module as the one used for iptables LOG target). It can only log packets for IPv4 and IPv6
- nfnetlink_log: netlink based logging requiring to setup ulogd2 to get the events (same module as the one used for iptables NFLOG target). It can log packet for any family.
To use one of the two modules, you need to load them with modprobe. It is possible to have both modules loaded and in this case, you can then setup logging on a per-protocol basis. The active configuration is available for reading in /proc:
# cat /proc/net/netfilter/nf_log 0 NONE (nfnetlink_log) 1 NONE (nfnetlink_log) 2 nfnetlink_log (nfnetlink_log,ipt_LOG) 3 NONE (nfnetlink_log) 4 NONE (nfnetlink_log) 5 NONE (nfnetlink_log) 6 NONE (nfnetlink_log) 7 nfnetlink_log (nfnetlink_log) 8 NONE (nfnetlink_log) 9 NONE (nfnetlink_log) 10 nfnetlink_log (nfnetlink_log,ip6t_LOG) 11 NONE (nfnetlink_log) 12 NONE (nfnetlink_log)
The syntax is the following
FAMILY ACTIVE_MODULE (AVAILABLE_MODULES). Here nfnetlink_log was loaded first and xt_LOG was loaded afterward (xt_LOG is aliased to ipt_LOG and ip6t_LOG).
Protocol family numbers can look a bit strange. It is in fact mapped on the socket family name that is used in underlying code.
The list is the following:
#define AF_UNSPEC 0 #define AF_UNIX 1 /* Unix domain sockets */ #define AF_INET 2 /* Internet IP Protocol */ #define AF_AX25 3 /* Amateur Radio AX.25 */ #define AF_IPX 4 /* Novell IPX */ #define AF_APPLETALK 5 /* Appletalk DDP */ #define AF_NETROM 6 /* Amateur radio NetROM */ #define AF_BRIDGE 7 /* Multiprotocol bridge */ #define AF_AAL5 8 /* Reserved for Werner's ATM */ #define AF_X25 9 /* Reserved for X.25 project */ #define AF_INET6 10 /* IP version 6 */ #define AF_MAX 12 /* For now.. */
To update the configuration, you need to write in the file corresponding to the family in
For example, if you want to use ipt_LOG for IPv4 (2 in the list), you can do:
echo "ipt_LOG" >/proc/sys/net/netfilter/nf_log/2
This will active ipt_LOG for IPv4 logging:
# cat /proc/net/netfilter/nf_log 0 NONE (nfnetlink_log) 1 NONE (nfnetlink_log) 2 ipt_LOG (nfnetlink_log,ipt_LOG) 3 NONE (nfnetlink_log) 4 NONE (nfnetlink_log) 5 NONE (nfnetlink_log) 6 NONE (nfnetlink_log) 7 nfnetlink_log (nfnetlink_log) 8 NONE (nfnetlink_log) 9 NONE (nfnetlink_log) 10 nfnetlink_log (nfnetlink_log,ip6t_LOG) 11 NONE (nfnetlink_log) 12 NONE (nfnetlink_log)
Netfilter framework is used internally by Netfilter for some logging. For example, the connection tracking is using it to send messages when invalid packets are seen. These messages are useful because they contain the reason of the reject. For example, one of the message is “nf_ct_tcp: ACK is under the lower bound (possible overly delayed ACK)”.
This logging messages are only sent if the logging of invalid packet is asked. This is done by doing:
echo "255"> /proc/sys/net/netfilter/nf_conntrack_log_invalid
More information on the magical 255 value are available in kernel documentation of nf_conntrack sysctl.
If nfnetlink_log module is used for the protocol, then the used group is 0. So if you want to activate these messages, it could be a good idea to use non 0 nfnetlink group in the log rules.
This way you will be able to differentiate the log sources in a software like ulogd.
Logging with Nftables
As mentioned before, logging is made via a
log keyword. A typical log and accept rule will look like:
nft add rule filter input tcp dport 22 ct state new log prefix \"SSH for ever\" group 2 accept
This rule is accepting packet to port 22 in the state NEW and it is logging them with prefix
SSH for ever on group
Here the group is only used when the active logging kernel module is nfnetlink_log. The option has no effect if xt_LOG is used. In fact, when used with xt_LOG, the only available option is
prefix (at least for nftables 0.099).
The available options when using nfnetlink_log module are the following (at least for nftables 0.099):
prefix: A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs.
group: The netlink group (0 – 2^16-1) to which packets are (only applicable for nfnetlink_log). The default value is 0.
snaplen: The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it.
queue-threshold: Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. The default value is 1.
Note: the description are extracted from iptables man pages.
If you want to do some easy testing with nftables, simply load xt_LOG module before nfnetlink_log. It will bind to IPv4 and IPv6 protocol and provide you logging. For more fancy stuff involving nfnetlink_log, you can have a look at Using ulogd and JSON output.
Happy logging to all!