nft-monitor

Monitor all nftables events

$ sudo nft monitor

$ sudo nft monitor rules

$ sudo nft monitor sets

$ sudo nft [[-j|--json]] monitor

nft monitor [options] [objects]

objects
    Specifies one or more classes of netlink events to monitor. If no objects are specified, it defaults to monitoring all available event types. Specific objects include:

trace
    Monitors packet tracing events, providing detailed insights into how packets traverse the netfilter ruleset. Requires a meta nftrace set action in nftables rules.

nflog
    Monitors Netfilter logging events generated by rules using the nflog target.

meta
    Monitors Netfilter meta events, such as network interface status changes.

flow
    Monitors flowtable events, related to hardware offloading or expedited packet forwarding.

ct
    Monitors connection tracking (conntrack) events, showing new, updated, or deleted connection states.

quota
    Monitors updates to quota counters defined in nftables rules.

connlimit
    Monitors updates to connection limit counters defined in nftables rules.

state
    Monitors stateful firewall state changes.

all
    Monitors all available event objects. This is the default if no specific objects are provided.

-s, --stats
    Prints counters for all events, providing statistical insights into the frequency of each event type.

-t, --time
    Prints a timestamp for each event, useful for chronological analysis.

-e, --event-type
    Prints the type of event (e.g., add, delete, update) for configuration changes.

-a, --annotate
    Prints annotated events, providing additional context and detail.

-v, --verbose
    Prints verbose event details, showing more information than the default output.

-r, --resolve
    Resolves network names and service names to human-readable strings.

-n, --numeric
    Do not resolve network names and service names; display them numerically.

-N, --numeric-hosts
    Do not resolve host names; display them numerically.

-p, --parse
    Outputs events in an easily parseable format, suitable for scripting.

-x, --xml
    Outputs events in XML format.

-j, --json
    Outputs events in JSON format, ideal for machine processing and integration with other tools.

The nft monitor command is an essential component of the nftables framework, designed for real-time observation of events within the Linux kernel's netfilter subsystem.
It allows administrators and developers to watch various netlink messages, including configuration changes (such as the addition or deletion of tables, chains, rules, or sets), packet tracing events (useful for debugging firewall rules), nflog events for detailed logging, connection tracking (CT) updates, flow table events, and meta events related to network interfaces or system state.
This tool is invaluable for debugging complex firewall setups, auditing security policies, and performing real-time security monitoring by providing insights into how packets are processed and how the firewall state evolves.
It supports various output formats, including human-readable, parseable, XML, and JSON, making it versatile for both interactive use and scripting.

Using nft monitor requires root privileges (or the CAP_NET_ADMIN capability) to access the netfilter subsystem.
The availability of certain event objects (e.g., trace, flow, ct) may depend on the specific Linux kernel version and its configuration.
On busy systems, monitoring all events without specific filtering can generate a very large volume of output, potentially impacting performance or making analysis difficult.

nft monitor is frequently used for:
Debugging Firewall Rules: By monitoring trace events, administrators can see exactly which rules a packet hits and why.
Auditing Configuration Changes: Monitoring table, chain, and rule events provides a real-time log of all modifications to the firewall policy.
Security Monitoring: Observing ct (connection tracking) events can help detect new or unusual network connections, while nflog events offer packet-level insight into suspicious traffic.

To execute nft monitor and effectively interact with the netfilter subsystem, the command must be run with elevated privileges, typically as the root user or via sudo. This is because it requires the CAP_NET_ADMIN capability to access and observe kernel-level network administration events.

The nft monitor command is part of the nft utility, which is the user-space command-line interface for nftables. nftables was developed as a modern successor to the legacy iptables, ip6tables, arptables, and ebtables tools, aiming to provide a unified and more flexible packet filtering framework for the Linux kernel.
Introduced around 2014 and steadily matured, nftables leverages the generic netlink interface for communication with the kernel, offering significant advantages in terms of performance and extensibility.
The monitor subcommand has been an integral feature from early in nftables' development, providing crucial visibility into the dynamic state and configuration changes within the netfilter subsystem, reflecting its design focus on debuggability and introspection.

nft(8), nftables(8), iptables(8), ip(8), tc(8)