Log unmatched nftables packets
-
Clone this repository:
git clone 'https://github.com/fussel178/nftables-unmatched-logger.git' cd nftables-unmatched-logger
-
Build and install the package:
makepkg -si
-
Install ulogd:
sudo pacman -S ulogd
-
Enable plugins and configure logging stack in
/etc/ulogd.conf:[global] logfile="/var/log/ulogd.log" loglevel=5 rmem=131071 bufsize=150000 ## ## plugins ## # inputs plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" # filters plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" # outputs plugin="/usr/lib/ulogd/ulogd_output_JSON.so" # JSON to python stack # stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON ## ## part configurations ## [log1] group=1 [json1] sync=1 mode="unix" file="/run/nftables-unmatched-logger/ulog.sock"
-
Configure the log group in nftables:
# after all commands in input chain nft add rule inet filter input log prefix "nft_in_unmtch" group 1 limit rate 3/second
-
Enable and start both systemd services:
sudo systemctl enable --now nftables-unmatched-logger.service sudo systemctl enable --now ulogd.service
-
Finished!
To query data via console, you can use the sqlite3 command line interface:
sudo sqlite3 -column -header /var/lib/nftables-unmatched-logger/main.sqlite "
SELECT ip_address,addresses.first_seen,addresses.last_seen,proto,port,name,count FROM calls
INNER JOIN addresses ON addresses.id = calls.address_id
INNER JOIN services ON services.id = calls.service_id
ORDER BY ip_address;
"