From c5e569125b814b0027f9430d9508bd24e8f1cac4 Mon Sep 17 00:00:00 2001
From: Andris PE <neandris@gmail.com>
Date: Wed, 7 May 2025 16:23:44 +0000
Subject: [PATCH 1/2] Add nftrace example ruleset

Add example rules to enable nftrace and elaborate filter example to
avoid overrunning user's terminal using defaults

Signed-off-by: Andris PE <neandris@gmail.com>
---
 .../nftables.d/10-custom-filter-chains.nft    | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/root/etc/nftables.d/10-custom-filter-chains.nft b/root/etc/nftables.d/10-custom-filter-chains.nft
index 4cb4213..2562ac4 100644
--- a/root/etc/nftables.d/10-custom-filter-chains.nft
+++ b/root/etc/nftables.d/10-custom-filter-chains.nft
@@ -1,7 +1,6 @@
 ## The firewall4 input, forward and output chains are registered with
 ## priority `filter` (0).
 
-
 ## Uncomment the chains below if you want to stage rules *before* the
 ## default firewall input, forward and output chains.
 
@@ -37,3 +36,24 @@
 #     ct state new log prefix "Firewall4 accepted egress: "
 # }
 
+## Uncomment the chains below to stage nftrace instrumentation
+## at the beginning of  both base chains filtering packets first
+## Example enables tracing of DNS packets to limit output volume
+## Adjust to Your requirements and observe output using
+## root@OpenWRT:~# nft monitor trace
+
+#     chain raw_prerouting {
+#     type filter hook prerouting priority raw; policy accept;
+#     jump trace_chain
+# }
+#
+# chain raw_output {
+#     type filter hook output priority raw; policy accept;
+#     jump trace_chain
+# }
+#
+# chain trace_chain {
+#     meta l4proto {tcp,udp} th dport 53 meta nftrace set 1
+#     # meta nftrace set 1
+# }
+

From 6b72f7149de2bda65486eb51602992e321cbd832 Mon Sep 17 00:00:00 2001
From: Andris PE <neandris@gmail.com>
Date: Thu, 8 May 2025 07:12:50 +0000
Subject: [PATCH 2/2] Also include DNS responses.

Signed-off-by: Andris PE <neandris@gmail.com>
---
 root/etc/nftables.d/10-custom-filter-chains.nft | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/etc/nftables.d/10-custom-filter-chains.nft b/root/etc/nftables.d/10-custom-filter-chains.nft
index 2562ac4..53174ee 100644
--- a/root/etc/nftables.d/10-custom-filter-chains.nft
+++ b/root/etc/nftables.d/10-custom-filter-chains.nft
@@ -53,7 +53,7 @@
 # }
 #
 # chain trace_chain {
-#     meta l4proto {tcp,udp} th dport 53 meta nftrace set 1
+#     meta l4proto {tcp,udp} th sport . th dport { 53 . 0-65535, 0-65535 . 53 } meta nftrace set 1
 #     # meta nftrace set 1
 # }