bugzilla-daemon at netfilter.org
2020-Jan-28 20:40 UTC
[Bug 1401] New: Discretely resetting anonymous counters is impossible
https://bugzilla.netfilter.org/show_bug.cgi?id=1401 Bug ID: 1401 Summary: Discretely resetting anonymous counters is impossible Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net As compared to iptables, this is the most surprising limitation of nftables that I've encountered yet. Per the summary, there appears to be no way of resetting anonymous counters. I'm aware of the existence of named counters and that's a fine feature. However, the use of named counters adds unnecessary complexity to rulesets that would otherwise have no need of them. I realise that the design of nftables might not lend itself as well to working with anonymous counters, but to anyone familiar with iptables -Z, this would seem like a significant feature ommission. As an aside, the documentation for the functionality that currently is supported is unclear. The grammar for the reset verb is described as: {add | delete | list | reset} type [family] table object It took some trial and error on my part to realise that "nft reset counters" is actually a supported command, although it only works for named counters. Here are the issues with the man page: • it makes it look as though table and object are mandatory (but they are not) • it does not make it apparent that "counters" is supported as the type In fact, there are only two incidences of the word, counters, in the entire man page. One of these is is in reference to the "list counters" command and the other is in an incidental sentence concerning the "monitor ruleset" command. My enhancement request is as follows: • "nft reset counters" resets all counters (not just the named ones) • "nft reset counters [family] table" resets anonmyous counters in the given table • "nft reset counters [family] table object" resets anonymous counters in the given chain object • if possible, add a means to reset the anonymous counters of a given rule -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/ae7359fa/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 20:52 UTC
[Bug 1401] Discretely resetting anonymous counters is impossible
https://bugzilla.netfilter.org/show_bug.cgi?id=1401 --- Comment #1 from kfm at plushkava.net --- See also: bug 1314. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/9ceefbc6/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 22:07 UTC
[Bug 1401] Discretely resetting anonymous counters is impossible
https://bugzilla.netfilter.org/show_bug.cgi?id=1401 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- Something similar -Z to reset counters would suffice for your use case, correct? Would you submit a patch to improve the flawed areas in this documentation area? That would be greatly appreciated. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/3b7eed79/attachment.html>
bugzilla-daemon at netfilter.org
2020-May-15 09:01 UTC
[Bug 1401] Discretely resetting anonymous counters is impossible
https://bugzilla.netfilter.org/show_bug.cgi?id=1401 --- Comment #3 from kfm at plushkava.net --- Yes, I think so. Even if the implementation were to lack the support for parameters that increase the specificity of the operation - which iptables -Z has - and only operate globally, it would still be a nice improvement. It seems reasonable to expect that users reach for named sets in other cases. Still, anything that helps to reduce the cognitive burden upon those who are alighting from the iptables train would be welcome. As for the documentation, I think that should be within my capabilities. I'll see what I can do. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200515/68799a4e/attachment.html>
Apparently Analagous Threads
- [Bug 1314] New: nft reset quotas does not reset anonymous quotas
- [Bug 1336] New: "nft reset counters" does not respect -j option for JSON output
- [Bug 1462] New: `nft -j list set` does not show counters
- [Bug 1710] New: When called from nft -f, list counters outputs all zeros
- [Bug 1059] New: Using wildcard interface names in an anonymous set fails on big endian