It's really painful to use nftable. I have an ipv4 table and a input chain in it.
table ip filter { # handle 7
chain input { # handle 1
type filter hook input priority 0; policy accept;
ip daddr 192.168.0.102 counter packets 697173 bytes 850761603 # handle 5
ip saddr 192.168.0.100 counter packets 38 bytes 4096 # handle 6
}
}
But how can I reset counter for handle 5?
As far as I know it's not possible to reset an anonymous counter (same problem as not possible to reset an anonymous quota, see at the end).
Tested with nftables 0.9.0. Required: nftables >= 0.8 and kernel >= 4.10.
What can be done instead is to use named counters, which are one of the (currently) three possible stateful objects: counter, (conntrack) helper and quota . These named counters can then be referenced from rules. A given named counter is attached to a table. OP's ruleset can be written like this instead:
table ip filter {
counter mycounterd102 {
packets 697173 bytes 850761603
}
counter mycounters100 {
packets 38 bytes 4096
}
chain input {
type filter hook input priority 0; policy accept;
ip daddr 192.168.0.102 counter name "mycounterd102"
ip saddr 192.168.0.100 counter name "mycounters100"
}
}
With a manual nft command the named counter is created like this, optionally with non zero values set:
nft add counter ip filter mycounterd102 packets 697173 bytes 850761603
Now, one can list or reset these named counters:
# nft list counter ip filter mycounterd102
table ip filter {
counter mycounterd102 {
packets 697173 bytes 850761603
}
}
# nft reset counter ip filter mycounterd102
table ip filter {
counter mycounterd102 {
packets 697173 bytes 850761603
}
}
# nft list counter ip filter mycounterd102
table ip filter {
counter mycounterd102 {
packets 0 bytes 0
}
}
As expected the reset command will atomically list-and-reset the given counter.
It's also possible to reset all counters in the table (or in all tables if no table is given):
# nft reset counters table ip filter
table ip filter {
counter mycounters100 {
packets 38 bytes 4096
}
counter mycounterd102 {
packets 0 bytes 0
}
}
Reference: Stateful objects - nftables wiki
which talks about counters and quotas. There's a linked bug related to not being able to reset an anonymous quota even if resetting all quotas. One can suppose it's exactly the same issue with counters: not available as of january 2019 (and at the date of this answer):
I found 2 ways to reset anonymous counters.
Tested with kernel 5.15.0-121-generic and nftables 1.0.2-1ubuntu3 on Ubuntu 22.04.4. (May or may not work with vanilla kernel and nftables... maybe it's backported; I don't know.)
It's really nftables... not iptables.
# lsmod | grep -E "^nft_|^iptable_"
nft_limit 16384 18
nft_chain_nat 16384 4
nft_counter 16384 3584
nft_compat 20480 3691
I can reset them all by restarting shorewall (which is just an iptables frontend... so try reloading all your rules with whatever frontend you have):
shorewall safe-restart
Or I can reset them the same way it worked with iptables with the iptables wrapper commands, one command per table, for ipv4 and ipv6:
for t in mangle nat filter raw; do
for i in 6 ""; do
"ip${i}tables" -Z -t "$t"
done
done
The docs for nft reset counter and nft reset counters seem to say it only works for named counters. And my guesses don't seem to reset any anonymous ones. Here you see my iptables command works, but my tests with nft don't... counters only grow.
# c() { nft list ruleset | grep -Eo "counter packets [0-9]+ bytes [0-9]+" | awk '{p+=$3; b+=$5}; END{print p " " b}'; }
# c; for t in mangle nat filter raw; do for i in 6 ""; do "ip${i}tables" -Z -t "$t"; done; done; c
893 102199 # before iptables reset
4 208 # after,etc.
# c; nft reset counters; c
318 36056
353 40968
# c; for t in mangle nat filter raw; do nft reset counters table $t; done; c
2539 260570
2567 262570
