在rule中添加meta nftrace set 1就可以启用trace
nft insert rule inet fw4 input meta l4proto {icmp,icmpv6} nftrace set 1 counter accept #监视icmp,icmpv6
nft insert rule inet fw4 input ip protocol icmp meta nftrace set 1 counter accept #监视icmp
nft insert rule inet fw4 input ip6 nexthdr icmpv6 meta nftrace set 1 counter accept #监视icmpv6
nft insert rule inet fw4 foward ip daddr 192.168.33.6 tcp dport 80 nftrace set 1 counter accept #监视转发的http
nft insert rule inet fw4 prerouting ip daddr 192.168.33.6 tcp dport 80 nftrace set 1 counter accept #监视所有的http
然后执行
nft monitor trace
就可以看到每个收到的包及各个链中rule处理结果