nftables read counters as non-root user

Question

I have set up some firewall rules using nftables. They include some data counters for some types of traffic that I'm interested to monitor.

Now, I'd like to be able to have an application read those counters, ideally using libnftnl, running as a non-root user. But, initial testing with nft indicates that I can't read nftables counters as a non-root user.

As root:

$ nft list counter my_table my_counter
table ip my_table {
    counter my_counter {
        packets 123 bytes 12345
    }
}

As non-root:

$ nft list counter my_table my_counter
Error: No such file or directory
list counter my_table my_counter
             ^^^^^^^^

Is there some way to read nftables counters as a non-root user? Perhaps if some Linux capabilities is set?

score 2 · Answer 1 · answered Sep 08 '21 at 06:22

2

If you want a more limited config. Maybe use sudo. You can set a rule that only permits a single command.

craig_mcqueen ALL = NOPASSWD: /usr/sbin/nft list counter my_table my_counter

answered Sep 08 '21 at 06:22

Zoredache

130,897
41
276
420

Thanks. It doesn't work for using `libnftnl`, but it does allow more fine-grained permission control than `CAP_NET_ADMIN`. – Craig McQueen Oct 08 '21 at 04:07

score 0 · Answer 2 · answered Sep 08 '21 at 05:43

It looks as though Linux capability CAP_NET_ADMIN enables reading the counter.

Eg, start a shell for a non-root user, with CAP_NET_ADMIN:

capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" --keep=1 --user=myuser --addamb=cap_net_admin -- -c "sh"

From that shell, /usr/sbin/nft list counter my_table my_counter runs successfully.

But, it also allows doing other things, such as changing firewall rules, adding new counters or deleting existing counters.

nftables read counters as non-root user

2 Answers2