netfilter buglog - Jan 2020 - [Bug 1401] New: Discretely resetting anonymous counters is impossible

https://bugzilla.netfilter.org/show_bug.cgi?id=1401

            Bug ID: 1401
           Summary: Discretely resetting anonymous counters is impossible
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: kfm at plushkava.net

As compared to iptables, this is the most surprising limitation of nftables
that I've encountered yet. Per the summary, there appears to be no way of
resetting anonymous counters.

I'm aware of the existence of named counters and that's a fine feature.
However, the use of named counters adds unnecessary complexity to rulesets that
would otherwise have no need of them. I realise that the design of nftables
might not lend itself as well to working with anonymous counters, but to anyone
familiar with iptables -Z, this would seem like a significant feature
ommission.

As an aside, the documentation for the functionality that currently is
supported is unclear. The grammar for the reset verb is described as:

  {add | delete | list | reset} type [family] table object

It took some trial and error on my part to realise that "nft reset
counters" is
actually a supported command, although it only works for named counters. Here
are the issues with the man page:

• it makes it look as though table and object are mandatory (but they are not)
• it does not make it apparent that "counters" is supported as the
type

In fact, there are only two incidences of the word, counters, in the entire man
page. One of these is is in reference to the "list counters" command
and the
other is in an incidental sentence concerning the "monitor ruleset"
command.

My enhancement request is as follows:

• "nft reset counters" resets all counters (not just the named ones)
• "nft reset counters [family] table" resets anonmyous counters in the
given
table
• "nft reset counters [family] table object" resets anonymous counters
in the
given chain object
• if possible, add a means to reset the anonymous counters of a given rule

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/ae7359fa/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1401

--- Comment #1 from kfm at plushkava.net ---
See also: bug 1314.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/9ceefbc6/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1401

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Something similar -Z to reset counters would suffice for your use case,
correct?

Would you submit a patch to improve the flawed areas in this documentation
area? 

That would be greatly appreciated.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/3b7eed79/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1401

--- Comment #3 from kfm at plushkava.net ---
Yes, I think so. Even if the implementation were to lack the support for
parameters that increase the specificity of the operation - which iptables -Z
has - and only operate globally, it would still be a nice improvement. It seems
reasonable to expect that users reach for named sets in other cases. Still,
anything that helps to reduce the cognitive burden upon those who are alighting
from the iptables train would be welcome.

As for the documentation, I think that should be within my capabilities.
I'll
see what I can do.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200515/68799a4e/attachment.html>