Where are nftables counters logged/stored, and how long do they persist?

networking logging traffic nftables accounting

I believe that nftables counters are stored in kernel memory only, similar to tables and rules. They may not persist across reboots.

My suggestion to keep permanent record of the counter values is to:

  • Declare your counters in a separate file and include it from your main nftables configuration file.
  • Have the counter declaration file updated with current values.

Depending on the distribution you are using, you may have a nftables.service unit that loads rules from a configuration file. If so, you can design a service that depends of nftables.service and writes counter values to the state file. For example, in Arch Linux, the nftables.service is designed to load firewall rules from /etc/nftables.conf, so you could define these configuration files:

# /etc/nftables.conf

add table stats

# Counter definitions go to '/var/lib/nftables.state'
include "/var/lib/nftables.state"

add chain inet stats INPUT { type filter hook input priority 0; }
add rule ip  stats INPUT ip  saddr 192.168.123.123 counter name os-traffic-4
add rule ip  stats INPUT ip  saddr 192.168.123.234 counter name os-traffic-4
add rule ip  stats INPUT ip  saddr 192.168.123.345 counter name os-traffic-4
add rule ip6 stats INPUT ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 counter name os-traffic-6
add rule ip6 stats INPUT ip6 saddr 1234:1234:1234:1234:1234:1234:1234:2345 counter name os-traffic-6
add rule ip6 stats INPUT ip6 saddr 1234:1234:1234:1234:1234:1234:1234:3456 counter name os-traffic-6

# /var/lib/nftables.state

add counter stats os-traffic-4
add counter stats os-traffic-6

# /etc/systemd/system/nftables-persist-counters.service

[Unit]
BindsTo=nftables.service
After=nftables.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecStop=/bin/bash -c '/usr/bin/nft list counters > /var/lib/nftables.state'

[Install]
WantedBy=multi-user.target

EDIT: The systemctl reload nftables.service command shall be blocked for the automatic counter storage to work. Therefore, deployment of an additional file is required:

# /etc/systemd/system/nftables.service.d/block-systemctl-reload.conf

[Service]
ExecReload=

Related

"Anonymous Logon" vs "NTLM V1" What to disable?
ProxyPass only if file doesn't exist
Converting Multiple VMware disk image to single disk image
Random SSH entries in Auth.log out of date order [duplicate]
How to hide a trusted domain in the logon screen?
dnsResolve and isInNet functions Problem
multiple puppet masters
Modify XFS filesystem creation parameters during kickstart installation
Grant permission in Active Directory to add users / modify / changed password / add them to group them but not delete them
rsync via multiple ssh connections with a key
HP Proliant ml350p g8 not booting after installing new CPUs
How to extract information from a Wikipedia infobox?