I'm currently in the process of migrating a firehol[0] based router firewall to nftables. In general, there are no issues on the functional level, however, as I like to summarize repetitive sections with maps[1] and sets[2] as much as possible, I'm struggling to get counters[3] added in the same "pass". Lets take for example these dnat rules

Do you know a way of somehow in-cooperate counters in a map-based rule?

[0] https://firehol.org/ [1] https://wiki.nftables.org/wiki-nftables/index.php/Maps [2] https://wiki.nftables.org/wiki-nftables/index.php/Sets [3] https://wiki.nftables.org/wiki-nftables/index.php/Counters

I'm currently in the process of migrating a firehol based router firewall to nftables. In general, there are no issues on the functional level, however, as I like to summarize repetitive sections with maps and sets as much as possible, I'm struggling to get counters added in the same "pass". Lets take for example these dnat rules

Do you know a way of somehow in-cooperate counters in a map-based rule?

table t1 { chain c1 { type nat hook prerouting priority dstnat; # compact form (works) dnat to ip daddr map { 192.168.22.22 : 86.12.22.22, 192.168.22.23 : 86.12.22.23 } # syntactically correct, but counts all dnated traffic counter dnat to daddr map { 192.168.22.22 : 86.12.22.22, 192.168.22.23 : 86.12.22.23 } # Does not work (why?) ip daddr dnat to map { 86.12.22.22 : 192.168.22.22, 86.12.22.23 : 192.168.22.23 } # long form (with counter, works) ip daddr 86.12.22.22 counter dnat to 192.168.22.22 } } 

table t1 { chain c1 { type nat hook prerouting priority dstnat; # compact form (works) dnat to ip daddr map { 86.12.22.22 : 192.168.22.22, 86.12.22.23 : 192.168.22.23 } # syntactically correct, but counts all dnated traffic counter dnat to daddr map { 86.12.22.22 : 192.168.22.22, 86.12.22.23 : 192.168.22.23 } # Does not work (why?) ip daddr dnat to map { 192.168.22.22 : 86.12.22.22, 192.168.22.23 : 86.12.22.23 } # long form (with counter, works) ip daddr 86.12.22.22 counter dnat to 192.168.22.22 } }