nftables does not write to syslog

Question

Running Debian 10 on a LXC container:

# apt-get -y install nftables
# nft --version
nftables v0.7 (Scrooge McDuck)
# nft flush ruleset
# nft add table inet filter
# nft add chain inet filter input
# nft add rule inet filter input log
# nft list ruleset
table inet filter { 
    chain input {
        log
    }
}

Then, I go to /var/log/syslog, create some network traffic and... I see no message from nftables at all.

I also tried (unsuccessfully) to define the rule this way:

nft add rule inet filter input log prefix \"FINDME \" counter

More tests:

# logger test && tail -1 /var/log/syslog
Aug 18 20:39:53 my-server root: test
# echo "test2" | systemd-cat && tail -1 /var/log/syslog
Aug 18 20:40:52 my-server cat[1907]: test2
# uname -v
 #1 SMP PVE 5.4.34-2 (Thu, 07 May 2020 10:02:02 +0200)

Why is nftables not writing to my syslog ?

As a bonus question: would there be any way to trigger an action when a match occurs? For example store blocked IPs on a database.

What kernel is this running on? Is *only* the kernel mode logging not working? (Try `counter` and user space logging via `nflog` to pinpoint which part is not working!) — anx, Aug 18 '20 at 19:36
Thanks @anx! I updated my question a little bit. I also tried with `ulogd2` and logging into the `group 0` and he `counter` options, but they didn't work either. — Julen Larrucea, Aug 18 '20 at 21:01

score 1 · Accepted Answer · answered Aug 20 '20 at 19:01

Well... Thanks to the clue of @anx I figured out that apparently netfilter has some difficulties to send the data to rsyslog.

It probably has something to do with the fact that the host is a LXC container without own kernel and the cgroups in the hypervisor... (Buff, I'm getting into dark territory)... Well... Whatever.

Anyway, if somebody happens to have a similar issue, I managed to get some log by sending the data into ulogd. These are the steps to get a basic example working:

# apt-get -y install nftables ulogd2
# nft flush ruleset
# nft add table inet filter
# nft add chain inet filter input '{ type filter hook input priority 0 ; }'
# nft add rule inet filter input log prefix "FINDME" group 0 accept
# nft list ruleset
table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
        log prefix "FINDME" group 0 accept
    }
}
# tail -f /var/log/ulog/syslogemu.log

score 0 · Answer 2 · answered Apr 14 '22 at 13:06

I run into a very similar problem: nftables did not log when run inside a network namespace. The solution from Julen did not work for me.

As I'm not running any container, I could fix my problem using

echo 1 >/proc/sys/net/netfilter/nf_log_all_netns

More details: https://blog.raymond.burkholder.net/index.php?/archives/787-nftables-network-namespace-logging.html

nftables does not write to syslog

2 Answers2