nft-monitor

nft monitor [object]

nft monitor displays real-time changes to the nftables firewall configuration. It subscribes to netlink notifications and shows when rules, sets, chains, or tables are added, modified, or deleted.Events are displayed as they occur, showing the exact nftables commands that would recreate the change. This is useful for debugging firewall behavior, auditing changes, or understanding how other tools modify the firewall.Without a filter argument, all nftables events are shown. Specifying an object type (rules, sets, etc.) filters the output to only those changes.

rules

Monitor only rule changes

Monitor only set and element changes

Monitor only table changes

Monitor only chain changes

Output events in JSON format

Requires root privileges to access netlink notifications. The monitor runs continuously until interrupted with Ctrl+C. High-frequency changes (like connection tracking updates) may produce substantial output. Only shows changes made while monitoring is active.

nft(8), iptables(8), conntrack(8)