counter target

counter target

[Matt Zagrabelny]

Greetings netfilter,

I have a question about the location of a "counter" statement.

I see from the wiki [0] that placing a counter for the default policy
comes *after* the policy:

table ip counter_demo {
    chain IN {
        type filter hook input priority filter; policy drop;

        protocol tcp counter
    }
}

That feels a little counterintuitive to place a counter after the
packet "appears" to have been dropped.

Thus, do I place other counter statements *after* their corresponding
netfilter stanzas:

table inet filter {
    chain input {
        # accept traffic originated from us
        ct state vmap {
            established: accept,
            related:     accept,
            invalid:     drop,
        }
        counter
    }
}

Or do I place the counter before:

table inet filter {
    chain input {
        counter

        # accept traffic originated from us
        ct state vmap {
            established: accept,
            related:     accept,
            invalid:     drop,
        }
    }
}

Or does it not matter?

Thanks for helping me understand.

Cheers,

-m

[0] https://wiki.nftables.org/wiki-nftables/index.php/Counters

Re: counter target

[Pablo Neira Ayuso]

On Fri, Aug 25, 2023 at 04:06:54PM -0500, Matt Zagrabelny wrote:
> Greetings netfilter,
> 
> I have a question about the location of a "counter" statement.
> 
> I see from the wiki [0] that placing a counter for the default policy
> comes *after* the policy:

Wiki example does not refer to the default policy.

Wiki explains that, unlike iptables, counter statement can be placed
anywhere in the rule.  That is, user specifies when the counter
statement is evaluated.

Comparing with iptables:

- counter statement is optional. In iptables you always have counters
  in every run, even if you do not ned them.
- counter statement can be placed anywhere in the rule, before a
  terminal action. In iptables, it always comes before the target
  (single action).

The example shows that you have more flexibility in how you can use
counters in rules.

> table ip counter_demo {
>     chain IN {
>         type filter hook input priority filter; policy drop;
> 
>         protocol tcp counter

This should be:

          ip protocol tcp counter

This counts all TCP packets seen in this input chain.

This is a rule.

>     }
> }
> 
> That feels a little counterintuitive to place a counter after the
> packet "appears" to have been dropped.

This is not allowed:

# nft add rule x y drop counter
Error: Statement after terminal statement has no effect
add rule x y drop counter
             ~~~~ ^^^^^^^

You cannot add a counter after a terminal statement, it makes no
sense, because the counter statement is unreachable from the packet
path.

> Thus, do I place other counter statements *after* their corresponding
> netfilter stanzas:
> 
> table inet filter {
>     chain input {
>         # accept traffic originated from us
>         ct state vmap {
>             established: accept,
>             related:     accept,
>             invalid:     drop,
>         }
>         counter

This example above is counting all ct state 'new' flows, which is the
implicit fallthrough case in this verdict map (note you do not specify
a match on ct state 'new').

>     }
> }
> 
> Or do I place the counter before:
> 
> table inet filter {
>     chain input {
>         counter

This example above is counting _all_ packets that reach the input chain.

>         # accept traffic originated from us
>         ct state vmap {
>             established: accept,
>             related:     accept,
>             invalid:     drop,
>         }
>     }
> }
> 
> Or does it not matter?

It depends on what you want to count, it is not clear to me what you
would like to achieve.

> [0] https://wiki.nftables.org/wiki-nftables/index.php/Counters

Re: counter target

[Matt Zagrabelny]

Hi Pablo,

On Sun, Aug 27, 2023 at 4:11 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Fri, Aug 25, 2023 at 04:06:54PM -0500, Matt Zagrabelny wrote:
> > Greetings netfilter,
> >
> > I have a question about the location of a "counter" statement.
> >
> > I see from the wiki [0] that placing a counter for the default policy
> > comes *after* the policy:
>
> Wiki example does not refer to the default policy.


Ahh. Now I see. Thanks for the clarification.

Is there a way to count the packets that get evaluated by the default
policy of a chain?

I know I can put a counter after all my rules, but it seems like it
would be nicer to somehow integrate it into:

chain IN {
        type filter hook input priority filter; policy drop;

for example:

chain IN {
        type filter hook input priority filter; policy counter drop;

...but the above fails.

Thanks for any help!

-m

Re: counter target

[Pablo Neira Ayuso]

On Thu, Aug 31, 2023 at 10:25:15AM -0500, Matt Zagrabelny wrote:
> Hi Pablo,
> 
> On Sun, Aug 27, 2023 at 4:11 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Fri, Aug 25, 2023 at 04:06:54PM -0500, Matt Zagrabelny wrote:
> > > Greetings netfilter,
> > >
> > > I have a question about the location of a "counter" statement.
> > >
> > > I see from the wiki [0] that placing a counter for the default policy
> > > comes *after* the policy:
> >
> > Wiki example does not refer to the default policy.
> 
> 
> Ahh. Now I see. Thanks for the clarification.
> 
> Is there a way to count the packets that get evaluated by the default
> policy of a chain?
> 
> I know I can put a counter after all my rules, but it seems like it
> would be nicer to somehow integrate it into:
> 
> chain IN {
>         type filter hook input priority filter; policy drop;
> 
> for example:
> 
> chain IN {
>         type filter hook input priority filter; policy counter drop;

Perhaps you mean something like this syntax:

         type filter hook input priority filter; counter; policy drop;

to enable basechain counters.

No, this is not supported.

> ...but the above fails.

You have to place a counter after all your rules to count those that
reach the basechain as you suggest.

Re: counter target

[Matt Zagrabelny]

On Thu, Aug 31, 2023 at 10:32 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Thu, Aug 31, 2023 at 10:25:15AM -0500, Matt Zagrabelny wrote:

> > Is there a way to count the packets that get evaluated by the default
> > policy of a chain?
> >
> > I know I can put a counter after all my rules, but it seems like it
> > would be nicer to somehow integrate it into:
> >
> > chain IN {
> >         type filter hook input priority filter; policy drop;
> >
> > for example:
> >
> > chain IN {
> >         type filter hook input priority filter; policy counter drop;
>
> Perhaps you mean something like this syntax:
>
>          type filter hook input priority filter; counter; policy drop;
>
> to enable basechain counters.
>
> No, this is not supported.
>
> > ...but the above fails.
>
> You have to place a counter after all your rules to count those that
> reach the basechain as you suggest.

Would netfilter-dev consider a feature request for adding a "counter"
option to the policy of section of a chain? Or has it already been
suggested and rejected?

Thank you for the dialogue!

-m