How do I make nftables log dropped packets?

Question

I seem to have made nftables log all incoming traffic that is allowed instead of only denied traffic, and I cannot figure out how else to say "deny and log everything else".

Here is my /etc/nftables.conf file:

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0;
# Accept any localhost traffic
iif lo accept

# Accept traffic originated from us
ct state established,related accept

# Accept neighbour discovery otherwise IPv6 connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# Allow incoming SSH connections
tcp dport ssh ct state new counter accept

# Allow mdns from the LAN
ip saddr 192.168.1.0/24 udp dport mdns counter accept
ip6 saddr fe80::/10 udp dport mdns counter accept

ip saddr 192.168.1.0/24 log prefix "Rejected: " flags all reject comment "send rejection to LAN only"
ip6 saddr fe80::/10 log prefix "Rejected: " flags all reject comment "send rejection to LAN only"

# Log and drop any other traffic
# THIS IS THE BROKEN PART
log prefix "Dropped:  " flags all drop

}
  chain forward {
    type filter hook forward priority 0;
  }
  chain output {
    type filter hook output priority 0;
  }
}

Answer 1

I suppose you missed the part about the default for chains. From the manual:

{add | create} chain [family] table chain [{ type type hook hook [device device] priority priority ; [policy policy ;] }]

That policy value mentioned here is described as follows:

Base chains also allow to set the chain's policy, i.e. what happens to packets not explicitly accepted or refused in contained rules. Supported policy values are accept (which is the default) or drop.

So I suppose you'll want to switch out these lines:

  chain input {
    type filter hook input priority 0;

for these:

  chain input {
    type filter hook input priority 0;
    policy drop;

But make sure you have some way of accessing this machine in case you lock yourself out with your rules. For iptables the command to use would be iptables-apply, but I am not sure what can be used in its place for nft. iptables-apply will revert the rules if you are unable to confirm within a given timeout period that you are able to (still) access the host ...

Answer 2

I eventually solved this by jumping to a separate chain for LAN-only rules, so that the input chain has only one log line. I am not sure why just adding policy drop to the input chain as suggested by @0xC0000022L was not sufficient.

#!/usr/sbin/nft --file
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0
    policy drop
    # Normal "prelude" things you always want.
    ct state vmap {
      new: continue,
      established: accept,
      related: accept,
      invalid: drop
    }
    ct status dnat  accept
    iiftype loopback  accept
    icmp type echo-request  accept
    icmpv6 type {
      echo-request,
      nd-neighbor-solicit,
      nd-router-advert,
      nd-neighbor-advert
    } accept
tcp dport ssh accept comment "Allow incoming SSH connections"

ip  saddr 192.168.1.0/24  jump lan_only
ip6 saddr fe80::/10       jump lan_only

log prefix "Dropped:  " flags all drop comment "non-LAN gets dropped brusquely"

}
chain lan_only {
    udp dport mdns counter accept comment "Allow mdns from the LAN"
    log prefix "Rejected: " flags all reject comment "LAN gets rejected politely (others get dropped brusquely)"
  }
chain forward {
    type filter hook forward priority 0
  }
  chain output {
    type filter hook output priority 0
  }
}