Open fis opened 5 years ago
Note to self: AFAICT, the nftables netlink interface makes no distinction between querying and modifying data, so CAP_NET_ADMIN
capability would be required just to query counters.
That's fair enough, but complicates things a little. The current OpenWrt packaging runs as the unprivileged nobody
user. This would probably have to be changed to run initially as root, and then drop privileges in some way that retains CAP_NET_ADMIN
(see prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS)
).
The nftables framework has stateful objects (quotas, counters, ...) that could be useful to expose as metrics. This would probably involve having a dependency on
libnftnl
andlibmnl
.