Support Named Counters

[aojea]

This will be very useful to implement metrics in kube-proxy

https://wiki.nftables.org/wiki-nftables/index.php/Counters

[aojea]

/cc @aroradaman

[aroradaman]

I don't think these counters will be persisted, these will reset to 0 at every sync. Or we will have to parse the current value and use that when rewriting the rules.

That is why we used nfacct for the iptables metrics, may be we can integrate nfacct counters for this.

[aojea]

I don't think these counters will be persisted, these will reset to 0 at every sync

that is not how I read it from the documentation, why they will be resetted?

[aroradaman]

We flush the rules and write them again every sync, so in our use case, they will reset to 0 at every sync.
I'll confirm the behavior.

[aojea]

I do think the counters do not reset , they are presented as the alternative to nfacct https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#nfacct

[aroradaman]

I do think the counters do not reset , they are presented as the alternative to nfacct https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#nfacct

I tried implementing this, and counters are persisted indeed.

We flush the rules and write them again every sync, so in our use case, they will reset to 0 at every sync.
I'll confirm the behavior.

This thought stemmed from iptables-coutners which were being reset at every sync.

[danwinship]

If you have "anonymous" counters in your rules (ip daddr @firewalled-ips counter drop) then I think they'd get reset each time you rewrite the rule, but named counters are intentionally persistent.