> Gesendet: Donnerstag, 01. April 2021 um 20:14 Uhr
> Von: "Florian Westphal" <fw@xxxxxxxxx>
> Frank Wunderlich <frank-w@xxxxxxxxxxxxxxx> wrote:
> > one thing:
> >
> > # nft list counter filter voip2
> > table ip mangle {
> > }
> > table ip nat {
> > }
> > table ip filter {
> > counter voip2 {
> > packets 124 bytes 7440
> > }
> > }
>
> Can't repro so looks like this is already fixed.
>
> > tables mangle and nat should not be printed (still have them separately from converting iptables to nft)...in json-format it is right
>
> Yes, they should not be printed.
tested with my self-compiled nftables, and indeed it seems to be fixed:
root@bpi-r2:~# nft -f ruleset_new.nft
root@bpi-r2:~# nft list counter filter voip1 #using debian buster version
table ip mangle {
}
table ip nat {
}
table ip filter {
counter voip1 {
packets 0 bytes 0
}
}
root@bpi-r2:~# /home/frank/nftables/install/sbin/nft list counter filter voip1 #self compiled
table ip filter {
counter voip1 {
packets 0 bytes 0
}
}
root@bpi-r2:~#
anyway i have now moved the mangle/nat chains into my filter table in newer version of my ruleset to have only an ip(v4) and an ipv6 table (still separated as v4 is much more complicated than v6)
Thanks, i will now test the mapping for log-counters, here it will be good to have addr/port (instead of saddr/daddr + sport/dport) too. Is there a way to filter deeper into protocol stack (SIP data ignoring start registration traffic)
regards Frank
