fis
commented
5 years ago Note to self: AFAICT, the nftables netlink interface makes no distinction between querying and modifying data, so CAP_NET_ADMIN capability would be required just to query counters.
That's fair enough, but complicates things a little. The current OpenWrt packaging runs as the unprivileged nobody user. This would probably have to be changed to run initially as root, and then drop privileges in some way that retains CAP_NET_ADMIN (see prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS)).
The nftables framework has stateful objects (quotas, counters, ...) that could be useful to expose as metrics. This would probably involve having a dependency on
libnftnlandlibmnl.