Nft bandwidth monitoring per client

Beniamin · June 12, 2023, 2:42am

Is there a package for nftables bandwidth monitor per client?

I'd like to monitor bandwidth per device for nftables.

I used to use iptmon for this, but that iptables.

professor_jonny · June 12, 2023, 8:40am

Is this what you are after, or do you want live data ?

Netlink bandwith monitor ?
luci-app-nlbwmon
nlbwmon

Beniamin · June 14, 2023, 11:33pm

Are those apps updated for nftables?

I'm looking for live bandwidth data per device.

RuralRoots · June 15, 2023, 12:21am

nlbwmon collects statistic information from linux conntrack entries github details here

professor_jonny · June 15, 2023, 12:48am

It works with nft.

bahtsiz_bedevi · July 11, 2023, 11:13pm

But this doesn't do live bandwidth monitoring

Beniamin · July 12, 2023, 4:22pm

I need live bandwidth monitoring using NFT. Doesn't seem like that's possible yet, right?

RuralRoots · July 12, 2023, 9:19pm

No it doesn’t. Nor did I infer that.

dave14305 · July 13, 2023, 12:59am

It’s quite possible to establish counters in nftables using sets. This example would collect every active LAN IPv4 address in the set ip4counters with packet and byte counts. Send and receive are combined, but you could split that out to match iptmon behavior.

table inet nftmon {
        set ip4counters {
                type ipv4_addr
                size 65535
                flags dynamic
                counter
        }

        chain forward {
                type filter hook postrouting priority filter + 1; policy accept;
                ip saddr 192.168.1.0/24 add @ip4counters { ip saddr }
                ip daddr 192.168.1.0/24 add @ip4counters { ip daddr }
        }
}

Results:

# nft list set inet nftmon ip4counters
table inet nftmon {
        set ip4counters {
                type ipv4_addr
                size 65535
                flags dynamic
                counter
                elements = { 192.168.1.1 counter packets 844 bytes 188757, 192.168.1.7 counter packets 184 bytes 38200,
                             192.168.1.30 counter packets 131 bytes 75494, 192.168.1.46 counter packets 45996 bytes 54064503,
                             192.168.1.75 counter packets 134 bytes 40940, 192.168.1.108 counter packets 253 bytes 60431,
                             192.168.1.119 counter packets 45 bytes 13372, 192.168.1.121 counter packets 2 bytes 92,
                             192.168.1.144 counter packets 24849 bytes 23209336, 192.168.1.169 counter packets 135 bytes 48574,
                             192.168.1.175 counter packets 414 bytes 135403, 192.168.1.176 counter packets 18 bytes 2285,
                             192.168.1.183 counter packets 255994 bytes 309464140, 192.168.1.214 counter packets 37 bytes 5508 }
        }
}

This could also be formatted in JSON for parsing by a collectd plugin.

Beniamin · July 15, 2023, 7:17pm

Dave, you kick ass.
How can I implement this? I would love to test it.

dave14305 · July 15, 2023, 7:46pm

You can create the directory /usr/share/nftables.d/ruleset-post and then copy/paste the first block of code into a file in that directory (e.g. /usr/share/nftables.d/ruleset-post/nftmon.nft).

Then restart the firewall and check the counters every so often.

IPv6 may be harder to track, unless you use MAC addresses instead of rotating privacy addresses.

Software/hardware flow offloading would need to be disabled in firewall for this to work at all.