On Thu, Aug 31, 2023 at 10:25:15AM -0500, Matt Zagrabelny wrote:
> Hi Pablo,
>
> On Sun, Aug 27, 2023 at 4:11 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >
> > On Fri, Aug 25, 2023 at 04:06:54PM -0500, Matt Zagrabelny wrote:
> > > Greetings netfilter,
> > >
> > > I have a question about the location of a "counter" statement.
> > >
> > > I see from the wiki [0] that placing a counter for the default policy
> > > comes *after* the policy:
> >
> > Wiki example does not refer to the default policy.
>
>
> Ahh. Now I see. Thanks for the clarification.
>
> Is there a way to count the packets that get evaluated by the default
> policy of a chain?
>
> I know I can put a counter after all my rules, but it seems like it
> would be nicer to somehow integrate it into:
>
> chain IN {
> type filter hook input priority filter; policy drop;
>
> for example:
>
> chain IN {
> type filter hook input priority filter; policy counter drop;
Perhaps you mean something like this syntax:
type filter hook input priority filter; counter; policy drop;
to enable basechain counters.
No, this is not supported.
> ...but the above fails.
You have to place a counter after all your rules to count those that
reach the basechain as you suggest.
