Page MenuHomeVyOS Platform
Create Task
Maniphest T8191

Improve clarity of the Packets and Bytes column headings in the show firewall command output.
Open, Requires assessmentPublicFEATURE REQUEST
Actions

Description

Summary
The show firewall command displays Packets and Bytes counters that reflect nftables rule match statistics, not per-connection or per-session traffic volume. This behavior is technically correct.

However, the current column headings do not clearly indicate that these counters apply only to packets and bytes that matched the rule. As a result, the output can be interpreted as showing total traffic for a connection or session.

vyos@vyos:~$ show firewall
Rulesets Information

---------------------------------
ipv4 Firewall "forward filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------
20       accept    all                 0        0  ip saddr @N_TRUSTEDv4  accept
21       jump      all                 0        0  jump NAME_AUX
default  accept    all                 0        0

---------------------------------
ipv4 Firewall "input filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -------------------------
10       accept    all               156    14377  iifname != @I_LAN  accept
default  accept    all                 0        0

---------------------------------
ipv4 Firewall "name AUX"

  Rule  Action    Protocol      Packets    Bytes  Conditions
------  --------  ----------  ---------  -------  --------------------------------------------
    10  accept    icmp                0        0  meta l4proto icmp  accept
    20  accept    udp                 0        0  meta l4proto udp ip saddr @A_SERVERS  accept
    30  drop      all                 0        0  ip saddr != @A_SERVERS iifname "eth2"

---------------------------------
ipv4 Firewall "output filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ----------------------------------------
10       reject    all                 0        0  oifname @I_LAN
20       accept    icmp                2      168  meta l4proto icmp oifname "eth0"  accept
default  accept    all                72     9258

---------------------------------
ipv6 Firewall "input filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -------------------------------
10       accept    all                 0        0  ip6 saddr @N6_TRUSTEDv6  accept
default  accept    all                 2      112

Suggestion

Clarify the column headings to better reflect their meaning, for example:

  • “Matched packets” / “Matched bytes”
  • or “Rule hits (packets)” / “Rule hits (bytes)”

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

n.sambajon created this task.Sat, Jan 17, 4:10 AM
pasik subscribed.Sat, Jan 17, 8:59 AM
n.sambajon updated the task description. (Show Details)Sun, Jan 18, 10:29 PM
Viacheslav subscribed.Mon, Jan 19, 11:57 AM

In my opinion the headers are correct.
It could be described in the documentation.