Use ulogd2

config/networks/dmz.nft

@@ -34,7 +34,7 @@ table inet firewall {
 		ip daddr @dmz_whitelist_web tcp dport {http, https} accept
 		ip daddr . tcp dport @dmz_whitelist_tcp accept
 		ip daddr . udp dport @dmz_whitelist_udp accept
-		counter log prefix "Invalid access to dmz:" drop
+		counter log group 1 prefix "Invalid access to dmz:" drop
 	}
 
 	chain from_dmz {

config/networks/nerim.nft

@@ -31,6 +31,6 @@ table inet firewall {
 	}
 
 	chain snat_nerim {
-		log prefix "masquerade:" masquerade
+		log group 1 prefix "masquerade:" masquerade
 	}
 }

nftables.conf

@@ -97,7 +97,7 @@ table inet firewall {
 		    $if_nerim:         jump from_nerim
 		}
 
-		counter log prefix "Uncaught traffic:"
+		counter log group 1 prefix "Uncaught traffic:"
 	}
 
 	chain source_nat {
@@ -116,6 +116,8 @@ table inet firewall {
 	chain input {
 		type filter hook input priority 0
 		policy drop
+		ct state established,related accept
+		ct state invalid drop
 		meta iif $admin_if accept
 	}
 }

ulogd.conf

@@ -0,0 +1,101 @@
+# Tutorial:
+# https://connect.ed-diamond.com/GNU-Linux-Magazine/glmfhs-041/ulogd2-journalisation-avancee-avec-netfilter
+
+[global]
+######################################################################
+# GLOBAL OPTIONS
+######################################################################
+
+
+# logfile for status messages
+logfile="syslog"
+
+# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)
+loglevel=3
+
+######################################################################
+# PLUGIN OPTIONS
+######################################################################
+
+# We have to configure and load all the plugins we want to use
+
+# general rules:
+#
+# 0. don't specify any plugin for ulogd to load them all
+# 1. load the plugins _first_ from the global section
+# 2. options for each plugin in seperate section below
+
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
+#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so"
+
+# this is a stack for logging packet send by system via LOGEMU
+stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# Packet logging
+stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,print1:PRINTPKT,json1:JSON
+
+# Logging of system packet through NFLOG
+[log1]
+# netlink multicast group (the same as the iptables --nflog-group param)
+# Group O is used by the kernel to log connection tracking invalid message
+group=0
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# set number of packet to queue inside kernel
+#netlink_qthreshold=1
+# set the delay before flushing packet in the queue inside kernel (in 10ms)
+#netlink_qtimeout=100
+
+# packet logging through NFLOG for group 1
+[log2]
+# netlink multicast group (the same as the iptables --nflog-group param)
+group=1 # Group has to be different from the one use in log1
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
+# group 0 is not used by any stack, you need to have at least one NFLOG
+# input plugin with bind set to 1. If you don't do that you may not
+# receive any message from the kernel.
+#bind=1
+
+[emu1]
+file="/var/log/ulog/syslogemu.log"
+sync=1
+
+[json1]
+sync=1
+#file="/var/log/ulog/ulogd.json"
+#timestamp=0
+# device name to be used in JSON message
+#device="My awesome Netfilter firewall"
+# If boolean_label is set to 1 then the numeric_label put on packet
+# by the input plugin is coding the action on packet: if 0, then
+# packet has been blocked and if non null it has been accepted.
+#boolean_label=1
+# Uncomment the following line to use JSON v1 event format that
+# can provide better compatility with some JSON file reader.
+#eventv1=1