George N. White III writes:
<URL:https://thermalcircle.de/doku.php?
id=blog:linux:nftables_packet_flow_netfilter_hooks_detail>https://thermalcirc
le.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail
My attention span was not sufficient for that one.
The author says he used logs to work out the details, but doesn't
says how
the logs were
obtained. There is lots of old stuff on netfilter logging:
<
URL:https://wiki.nftables.org/wiki-
nftables/index.php/Logging_traffic>Logging traffic - nftables wiki (from
2017) uses ulogd.
So, there is a logging facility, of some sorts, in nft.
But I already had logging working when firewalld was using iptables. The
rich rule that specifies logging is still there. Nothing happened to it.
firewall-config even shows this rule. firewall-config has a checkbox to,
allegedly, enable logging. When showing this rule firewall-config even
shows this checkbox as selected. So far so good, but the forward march of
progress ends abruptly, at this point:
No logging.
Also, curiously, I don't seem to be able to edit this rule in firewall-
config. It shows it but won't let me edit it. The rich rule was added
directly via firewall-cmd, so at some level firewalld knows about it. Except
that it is not fully implemented in the UI, and fully unimplemented in the
netfilter backend. At least the rule itself is there, and its core
functionality is there. But the logging is sorely missed.
Perusing the nftables wiki it does seem that firewalld /should/ be able to
grok this, and it's simply not implemented. I'll just cross my fingers, and
patiently wait for it to catch up with iptables.
A shot in the dark: the old iptables-based rule specified a rate limit on
the logging. The nft wiki page makes no mention of rate limit. I wonder if
that's the firewalld limitation, it just ignores the log spefication because
of that?