From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: counter target Date: Thu, 31 Aug 2023 17:32:11 +0200 Message-ID: References: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline In-Reply-To: List-ID: Content-Type: text/plain; charset="windows-1252" To: Matt Zagrabelny Cc: netfilter On Thu, Aug 31, 2023 at 10:25:15AM -0500, Matt Zagrabelny wrote: > Hi Pablo, >=20 > On Sun, Aug 27, 2023 at 4:11=E2=80=AFPM Pablo Neira Ayuso wrote: > > > > On Fri, Aug 25, 2023 at 04:06:54PM -0500, Matt Zagrabelny wrote: > > > Greetings netfilter, > > > > > > I have a question about the location of a "counter" statement. > > > > > > I see from the wiki [0] that placing a counter for the default policy > > > comes *after* the policy: > > > > Wiki example does not refer to the default policy. >=20 >=20 > Ahh. Now I see. Thanks for the clarification. >=20 > Is there a way to count the packets that get evaluated by the default > policy of a chain? >=20 > I know I can put a counter after all my rules, but it seems like it > would be nicer to somehow integrate it into: >=20 > chain IN { > type filter hook input priority filter; policy drop; >=20 > for example: >=20 > chain IN { > type filter hook input priority filter; policy counter drop; Perhaps you mean something like this syntax: type filter hook input priority filter; counter; policy drop; to enable basechain counters. No, this is not supported. > ...but the above fails. You have to place a counter after all your rules to count those that reach the basechain as you suggest.