1

It's really painful to use nftable. I have an ipv4 table and a input chain in it. 

table ip filter { # handle 7
    chain input { # handle 1
        type filter hook input priority 0; policy accept;
        ip daddr 192.168.0.102 counter packets 697173 bytes 850761603 # handle 5
        ip saddr 192.168.0.100 counter packets 38 bytes 4096 # handle 6
    }
}

But how can I reset counter for handle 5?

user762750
  • 179
  • 1
  • 9

1 Answers1

1

As far as I know it's not possible to reset an anonymous counter (same problem as not possible to reset an anonymous quota, see at the end).

Named counters

Tested with nftables 0.9.0. Required: nftables >= 0.8 and kernel >= 4.10.

What can be done instead is to use named counters, which are one of the (currently) three possible stateful objects: counter, (conntrack) helper and quota . These named counters can then be referenced from rules. A given named counter is attached to a table. OP's ruleset can be written like this instead:

table ip filter {
    counter mycounterd102 {
        packets 697173 bytes 850761603
    }
    counter mycounters100 {
        packets 38 bytes 4096
    }
    chain input {
        type filter hook input priority 0; policy accept;
        ip daddr 192.168.0.102 counter name "mycounterd102"
        ip saddr 192.168.0.100 counter name "mycounters100"
    }
}

With a manual nft command the named counter is created like this, optionally with non zero values set:

nft add counter ip filter mycounterd102 packets 697173 bytes 850761603

Now, one can list or reset these named counters:

# nft list counter ip filter mycounterd102
table ip filter {
    counter mycounterd102 {
        packets 697173 bytes 850761603
    }
}
# nft reset counter ip filter mycounterd102
table ip filter {
    counter mycounterd102 {
        packets 697173 bytes 850761603
    }
}
# nft list counter ip filter mycounterd102
table ip filter {
    counter mycounterd102 {
        packets 0 bytes 0
    }
}

As expected the reset command will atomically list-and-reset the given counter.

It's also possible to reset all counters in the table (or in all tables if no table is given):

# nft reset counters table ip filter
table ip filter {
    counter mycounters100 {
        packets 38 bytes 4096
    }
    counter mycounterd102 {
        packets 0 bytes 0
    }
}

Reference: Stateful objects - nftables wiki

which talks about counters and quotas. There's a linked bug related to not being able to reset an anonymous quota even if resetting all quotas. One can suppose it's exactly the same issue with counters: not available as of january 2019 (and at the date of this answer):

Bug 1314 - nft reset quotas does not reset anonymous quotas

A.B
  • 9,037
  • 2
  • 19
  • 37
  • Great detailed answer, +1. If you happen to have a little more depth of knowledge about counters, I have this question I'm looking for help with... https://serverfault.com/questions/1018654/where-are-nftables-counters-logged-stored-and-how-long-to-they-persist – oucil May 25 '20 at 19:05