Home / server / Questions / 971633
Accepted
user762750
Asked: 2019-06-17 06:10:30 +0800 CST

How to reset nftable counter?

  • 772

It's really painful to use nftable. I have an ipv4 table and a input chain in it. 

table ip filter { # handle 7
    chain input { # handle 1
        type filter hook input priority 0; policy accept;
        ip daddr 192.168.0.102 counter packets 697173 bytes 850761603 # handle 5
        ip saddr 192.168.0.100 counter packets 38 bytes 4096 # handle 6
    }
}

But how can I reset counter for handle 5?

linux

1 Answers

  1. Best Answer

    As far as I know it's not possible to reset an anonymous counter (same problem as not possible to reset an anonymous quota, see at the end).

    Named counters

    Tested with nftables 0.9.0. Required: nftables >= 0.8 and kernel >= 4.10.

    What can be done instead is to use named counters, which are one of the (currently) three possible stateful objects: counter, (conntrack) helper and quota . These named counters can then be referenced from rules. A given named counter is attached to a table. OP's ruleset can be written like this instead:

    table ip filter {
    counter mycounterd102 {
        packets 697173 bytes 850761603
    }
    counter mycounters100 {
        packets 38 bytes 4096
    }
    chain input {
        type filter hook input priority 0; policy accept;
        ip daddr 192.168.0.102 counter name "mycounterd102"
        ip saddr 192.168.0.100 counter name "mycounters100"
    }
}

    With a manual nft command the named counter is created like this, optionally with non zero values set:

    nft add counter ip filter mycounterd102 packets 697173 bytes 850761603

    Now, one can list or reset these named counters:

    # nft list counter ip filter mycounterd102
table ip filter {
    counter mycounterd102 {
        packets 697173 bytes 850761603
    }
}
# nft reset counter ip filter mycounterd102
table ip filter {
    counter mycounterd102 {
        packets 697173 bytes 850761603
    }
}
# nft list counter ip filter mycounterd102
table ip filter {
    counter mycounterd102 {
        packets 0 bytes 0
    }
}

    As expected the reset command will atomically list-and-reset the given counter.

    It's also possible to reset all counters in the table (or in all tables if no table is given):

    # nft reset counters table ip filter
table ip filter {
    counter mycounters100 {
        packets 38 bytes 4096
    }
    counter mycounterd102 {
        packets 0 bytes 0
    }
}

    Reference: Stateful objects - nftables wiki

    which talks about counters and quotas. There's a linked bug related to not being able to reset an anonymous quota even if resetting all quotas. One can suppose it's exactly the same issue with counters: not available as of january 2019 (and at the date of this answer):

    Bug 1314 - nft reset quotas does not reset anonymous quotas

    • 1