Change Details

**Summary** The show firewall command displays Packets and Bytes counters that reflect nftables rule match statistics, not per-connection or per-session traffic volume. This behavior is technically correct. However, the current column headings do not clearly indicate that these counters apply only to packets and bytes that matched the rule. As a result, the output can be interpreted as showing total traffic for a connection or session. **Summary** Clarify the column headings to better reflect their meaning, for example: - “Matched packets” / “Matched bytes” - or “Rule hits (packets)” / “Rule hits (bytes)”

**Summary** The show firewall command displays Packets and Bytes counters that reflect nftables rule match statistics, not per-connection or per-session traffic volume. This behavior is technically correct. However, the current column headings do not clearly indicate that these counters apply only to packets and bytes that matched the rule. As a result, the output can be interpreted as showing total traffic for a connection or session. ``` vyos@vyos:~$ show firewall Rulesets Information --------------------------------- ipv4 Firewall "forward filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ----------------------------- 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept 21 jump all 0 0 jump NAME_AUX default accept all 0 0 --------------------------------- ipv4 Firewall "input filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ------------------------- 10 accept all 156 14377 iifname != @I_LAN accept default accept all 0 0 --------------------------------- ipv4 Firewall "name AUX" Rule Action Protocol Packets Bytes Conditions ------ -------- ---------- --------- ------- -------------------------------------------- 10 accept icmp 0 0 meta l4proto icmp accept 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" --------------------------------- ipv4 Firewall "output filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ---------------------------------------- 10 reject all 0 0 oifname @I_LAN 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept default accept all 72 9258 --------------------------------- ipv6 Firewall "input filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ------------------------------- 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept default accept all 2 112 ``` **Suggestion** Clarify the column headings to better reflect their meaning, for example: - “Matched packets” / “Matched bytes” - or “Rule hits (packets)” / “Rule hits (bytes)”

**Summary** The show firewall command displays Packets and Bytes counters that reflect nftables rule match statistics, not per-connection or per-session traffic volume. This behavior is technically correct. However, the current column headings do not clearly indicate that these counters apply only to packets and bytes that matched the rule. As a result, the output can be interpreted as showing total traffic for a connection or session. ``` vyos@vyos:~$ show firewall Rulesets Information **Summary**--------------------------------- ipv4 Firewall "forward filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ----------------------------- 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept 21 jump all 0 0 jump NAME_AUX default accept all 0 0 --------------------------------- ipv4 Firewall "input filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ------------------------- 10 accept all 156 14377 iifname != @I_LAN accept default accept all 0 0 --------------------------------- ipv4 Firewall "name AUX" Rule Action Protocol Packets Bytes Conditions ------ -------- ---------- --------- ------- -------------------------------------------- 10 accept icmp 0 0 meta l4proto icmp accept 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" --------------------------------- ipv4 Firewall "output filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ---------------------------------------- 10 reject all 0 0 oifname @I_LAN 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept default accept all 72 9258 --------------------------------- ipv6 Firewall "input filter" Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ------------------------------- 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept default accept all 2 112 ``` **Suggestion** Clarify the column headings to better reflect their meaning, for example: - “Matched packets” / “Matched bytes” - or “Rule hits (packets)” / “Rule hits (bytes)”