Hi all,
I'm working on finally supporting nftables in Vuurmuur.
In the iptables support, I have special rules per interface to get per
iface packets and bytes. Essentially my tool reads the iptables -vnL
output and parses all the things. When a user applies a ruleset change,
Vuurmuur reads the most current values, constructs a new input file to
`iptables-restore` and loads the rules. This works but is tedious, and
also lacks some precision as we are not counting the packets/bytes while
Vuurmuur is working.
In the nftables support, I'm more or less looking at the same logic. The
ruleset is build as a .nft file that is loaded with `nft -f`.
Now I found the the named counter feature, and also the json output `nft
-j list counters`. This combination seems perfect.
I guess my main question is if we can make these counters persistent
somehow. As part of the ruleset reload, I issue a `flush ruleset`, which
also removes the counters.
So can we make counters survive a `flush ruleset`, or is there a better
way to load a new ruleset?
Thanks!
Victor
--
----------------------------------------------
Victor Julien
https://www.inliniac.net/
PGP: https://www.inliniac.net/victorjulien.asc
----------------------------------------------
