Hi Victor, On Sat, Feb 08, 2025 at 03:35:27PM +0100, Victor Julien wrote: > Hi all, > > I'm working on finally supporting nftables in Vuurmuur. > > In the iptables support, I have special rules per interface to get per iface > packets and bytes. Essentially my tool reads the iptables -vnL output and > parses all the things. When a user applies a ruleset change, Vuurmuur reads > the most current values, constructs a new input file to `iptables-restore` > and loads the rules. This works but is tedious, and also lacks some > precision as we are not counting the packets/bytes while Vuurmuur is > working. > > In the nftables support, I'm more or less looking at the same logic. The > ruleset is build as a .nft file that is loaded with `nft -f`. > > Now I found the the named counter feature, and also the json output `nft -j > list counters`. This combination seems perfect. > > I guess my main question is if we can make these counters persistent > somehow. As part of the ruleset reload, I issue a `flush ruleset`, which > also removes the counters. > > So can we make counters survive a `flush ruleset`, or is there a better way > to load a new ruleset? Would it work for you to destroy all other existing objects (not the table and counters) instead?
