nftable produce unexpected message in syslog

I have the following nftables rule: log prefix "[nftables] output denied1: " ip daddr 34.117.59.81 reject

in syslog i can see the message: [nftables] output denied1: IN= OUT=br0 SRC=10.10.10.1 DST=10.10.10.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=540 PROTO=ICMP TYPE=0 CODE=0 ID=2 SEQ=60848

Now i wonder how it is possible? In the syslog message there is DST=10.10.10.4, but the rule shouldn't be used for that destination address.

It would be realy cool, if anyone can explain this behaviour.

Order does matter. In a single rule, each expression / (non-terminal) statement is evaluated in turn:

• if true, evaluation continues to the next expression/statement in the rule
• if false, evaluation ends

Most non-terminal statement are true (ie: rule evaluation continues). Anyway that's the case for the log statement: it always allows continuation of evaluation in the rule.

A log statement placed as the first part of the rule will do its role: generate logs. Without filter before it (or without being in a regular (aka user) chain called from a previous rule with such filter) everything will be logged. Then evaluation will continue to the actual filter: ip daddr 34.117.59.81. If this one evaluates true, reject will be done, else nothing more happens in this rule (and next rule if any is evaluated).

The fix is to always put the log statement after the condition it's supposed to log about and before the terminal statement (which won't allow further expressions/statements):

ip daddr 34.117.59.81 log prefix "[nftables] output denied1: " reject