Score:0

nftables read counters as non-root user

in flag

I have set up some firewall rules using nftables. They include some data counters for some types of traffic that I'm interested to monitor.

Now, I'd like to be able to have an application read those counters, ideally using libnftnl, running as a non-root user. But, initial testing with nft indicates that I can't read nftables counters as a non-root user.

As root:

$ nft list counter my_table my_counter
table ip my_table {
    counter my_counter {
        packets 123 bytes 12345
    }
}

As non-root:

$ nft list counter my_table my_counter
Error: No such file or directory
list counter my_table my_counter
             ^^^^^^^^

Is there some way to read nftables counters as a non-root user? Perhaps if some Linux capabilities is set?

Score:2
in flag

If you want a more limited config. Maybe use sudo. You can set a rule that only permits a single command.

craig_mcqueen ALL = NOPASSWD: /usr/sbin/nft list counter my_table my_counter

in flag
Thanks. It doesn't work for using `libnftnl`, but it does allow more fine-grained permission control than `CAP_NET_ADMIN`.
Score:0
in flag

It looks as though Linux capability CAP_NET_ADMIN enables reading the counter.

Eg, start a shell for a non-root user, with CAP_NET_ADMIN:

capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" --keep=1 --user=myuser --addamb=cap_net_admin -- -c "sh"

From that shell, /usr/sbin/nft list counter my_table my_counter runs successfully.

But, it also allows doing other things, such as changing firewall rules, adding new counters or deleting existing counters.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.