Home / server / Questions / 1076951
In Process
Craig McQueen
Asked: 2021-09-08 21:20:56 +0800 CST

nftables read counters as non-root user

  • 772

I have set up some firewall rules using nftables. They include some data counters for some types of traffic that I'm interested to monitor.

Now, I'd like to be able to have an application read those counters, ideally using libnftnl, running as a non-root user. But, initial testing with nft indicates that I can't read nftables counters as a non-root user.

As root:

$ nft list counter my_table my_counter
table ip my_table {
    counter my_counter {
        packets 123 bytes 12345
    }
}

As non-root:

$ nft list counter my_table my_counter
Error: No such file or directory
list counter my_table my_counter
             ^^^^^^^^

Is there some way to read nftables counters as a non-root user? Perhaps if some Linux capabilities is set?

nftables

2 Answers

  1. If you want a more limited config. Maybe use sudo. You can set a rule that only permits a single command.

    craig_mcqueen ALL = NOPASSWD: /usr/sbin/nft list counter my_table my_counter

    • 2

  2. It looks as though Linux capability CAP_NET_ADMIN enables reading the counter.

    Eg, start a shell for a non-root user, with CAP_NET_ADMIN:

    capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" --keep=1 --user=myuser --addamb=cap_net_admin -- -c "sh"

    From that shell, /usr/sbin/nft list counter my_table my_counter runs successfully.

    But, it also allows doing other things, such as changing firewall rules, adding new counters or deleting existing counters.

    • 0