Counters: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(add pointer to stateful counters)
(New anonymous and named counter sections, additional example. Edited for clarity.)
Line 1: Line 1:
Counters are optional in ''nftables'', thus, you need to explicitly specify them in the rule if you want them.
With nftables you need to explicitly specify a counter for each rule you want to count.


The following example allows you to account all tcp traffic that you machine receives:


<source lang="bash">
= Anonymous counters =
% nft add rule filter input ip protocol tcp counter
 
The following example uses an unnamed counter to count all tcp traffic routed to your host:
 
<source>
table ip counter_demo {
    chain IN {
        type filter hook input priority filter; policy drop;
 
        protocol tcp counter
    }
}
</source>
</source>


An interesting feature of the counter action is that its position in the rule syntax matters. This rule is '''not''' equivalent to the previous rule:
'''Note''' that the position of the ''counter'' statement within your rule is significant, because nftables evaluates expressions and statements linearly from left to right. If the above rule were written instead:
<source>
        counter protocol tcp
</source>


<source lang="bash">
'''every packet''' routed to your host (not just tcp packets) will update the counter!
% nft add rule filter input counter ip protocol tcp
 
</source>
 
= Named counters =
 
You can also declare named counters, which you can reference from multiple rules, e.g.:
<source>
table inet named_counter_demo {


The rule is evaluated from the left to the right, so '''any kind of packet''' will update the counters, not only TCP packets.
    counter cnt_http {
    }


    chain IN {
        type filter hook input priority filter; policy drop;


== Stateful counters ==
        tcp dport  80 counter name cnt_http
        tcp dport  443 counter name cnt_http
  }
}
</source>


nftables has native support for '''stateful counters''', i.e, counters not attached to a particular rule. Check the [[Stateful_objects | stateful objects]] page for more details.
The above example defines a named counter ''cnt_http'' and uses it in two rules in order to count both http and https packets routed to the local host. (This example is contrived to show using a single named counter in multiple rules; these two rules can easily be combined by using an anonymous [[Sets|set]].)

Revision as of 14:10, 2 April 2021

With nftables you need to explicitly specify a counter for each rule you want to count.


Anonymous counters

The following example uses an unnamed counter to count all tcp traffic routed to your host:

table ip counter_demo {
    chain IN {
        type filter hook input priority filter; policy drop;

        protocol tcp counter
    }
}

Note that the position of the counter statement within your rule is significant, because nftables evaluates expressions and statements linearly from left to right. If the above rule were written instead:

        counter protocol tcp

every packet routed to your host (not just tcp packets) will update the counter!


Named counters

You can also declare named counters, which you can reference from multiple rules, e.g.:

table inet named_counter_demo {

    counter cnt_http {
    }

    chain IN {
        type filter hook input priority filter; policy drop;

        tcp dport   80 counter name cnt_http
        tcp dport  443 counter name cnt_http
   }
}

The above example defines a named counter cnt_http and uses it in two rules in order to count both http and https packets routed to the local host. (This example is contrived to show using a single named counter in multiple rules; these two rules can easily be combined by using an anonymous set.)