Firewall fw4 rule "hits" - how to see

lleachii · October 3, 2022, 8:50pm

How do you see the quantity of packets/bytes matching a firewall chains or rules in fw4?

stangri · October 4, 2022, 4:18am

add counter when creating a rule?

	chain dstnat_lan {
		meta nfproto ipv4 tcp dport 53 counter packets 4791 bytes 287460 redirect to :53 comment "!fw4: ubus:https-dns-proxy[instance1] redirect 0"
		meta nfproto ipv4 udp dport 53 counter packets 417870 bytes 28992512 redirect to :53 comment "!fw4: ubus:https-dns-proxy[instance1] redirect 0"
	}

lleachii · October 4, 2022, 11:13am

OK, thanks,

How?
Also, what command did you enter to "see" it?
Is there a method in LuCi like previous versions?
- What package/setting do I need to setup in order to restore this functionality?
If I want to see counters for all rules, how?

I looked here: https://openwrt.org/docs/guide-user/firewall/firewall_configuration - the word "counter" doesn't appear once on the Wiki page. Also, same information at this link, but doesn't say how (it doesn't seem related TBH):

I noticed the rule displayed has no "counter" option listed. Does this mean all rules have "counters" by default?
I'm noticing when people post these snippets, they rarely include any command line/UCI interactions
- Could you provide the UCI rule for what you displayed (or verify the one I linked above that's a copy of yours), please?

(Basically, it seems like people are posting these outta thin air...but they had to come from somewhere. It's confusing and I know I must be missing something, a link to a Wiki that specifically covers this topic will help most).

dave14305 · October 4, 2022, 11:50am

Counters are implicitly added for uci rules. You can see them buried in the output of nft list ruleset or in the LuCI Status / Firewall output.

Counters are optional in nftables and so there isn’t the same ability to see hit counts on every rule and chain like in iptables. firewall4 omits counters from some of the hardcoded rules in the ruleset.

stangri · October 4, 2022, 6:59pm

Sorry, I thought you were asking about creating rules thru the nft command/script, but looks like @dave14305 has answered the question about creating rules thru fw4 config anyways.

To check what's in the fw4 table I run: nft list table inet fw4.

lleachii · October 5, 2022, 12:06am

I now see where the hits appear in LuCI too. I now see the total bytes - and you hover over them you additionally see number of packets.

Thanks....but

Do they reset after n time?

Why - I know I had [a lot of] traffic since my router was up on a rule...but...

tcp dport xxx counter packets 0 bytes 0 accept comment "!fw4: xxx_in"

I tested because I was perplexed:

tcp dport xxx counter packets 2 bytes 124 accept comment "!fw4: xx_in"

Disregard...I know what's occurring. A script for a nft set reloaded the firewall.

system · October 15, 2022, 12:06am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.