The kernel enables policy counters for nftables chains only if NFTA_CHAIN_COUNTERS attribute is present. For this to be generated, one has to set NFTNL_CHAIN_PACKETS and NFTNL_CHAIN_BYTES attributes in the allocated nftnl_chain object. The above happened for base chains only with iptables-nft-restore if called with --counters flag. Since this is very unintuitive to users, fix the situation by adding counters to base chains in any case. Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface") Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/nft.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 326dc20b21d65..97fd4f49fdb4c 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -701,6 +701,9 @@ nft_chain_builtin_alloc(int family, const char *tname, nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type); + nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0); + nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0); + return c; } @@ -961,6 +964,7 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, int policy, const struct xt_counters *counters) { + static const struct xt_counters zero = {}; struct nftnl_chain *c; const struct builtin_table *_t; const struct builtin_chain *_c; @@ -985,12 +989,10 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, return NULL; } - if (counters) { - nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, - counters->bcnt); - nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, - counters->pcnt); - } + if (!counters) + counters = &zero; + nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, counters->bcnt); + nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, counters->pcnt); return c; } -- 2.40.0