[input.nftables] Fails to parse nft output including named counters

[niklasf]

Relevant telegraf.conf

[[inputs.nftables]]
  binary = "./nft-example.sh"
  tables = ["inet example"]

[[outputs.file]]
  files = ["stdout"]

Logs from Telegraf

2025-12-16T10:38:15Z D! [agent] Starting service inputs
2025-12-16T10:38:20Z E! [inputs.nftables] Error in plugin: parsing command output failed: unable to parse rule: json: cannot unmarshal string into Go struct field expr.expr.counter of type nftables.counter

System info

Telegraf 1.38.0-1980bf81 (git: master@1980bf81)

Docker

No response

Steps to reproduce

To reproduce with mocked output:

nft-example.sh:

cat inet-example.json

inet-example.json:

{
    "nftables": [
        {
            "metainfo": {
                "version": "1.1.6",
                "release_name": "Commodore Bullmoose #7",
                "json_schema_version": 1
            }
        },
        {
            "table": {
                "family": "inet",
                "name": "example",
                "handle": 7
            }
        },
        {
            "chain": {
                "family": "inet",
                "table": "example",
                "name": "input",
                "handle": 1,
                "type": "filter",
                "hook": "input",
                "prio": 0,
                "policy": "drop"
            }
        },
        {
            "counter": {
                "family": "inet",
                "name": "named_counter",
                "table": "example",
                "handle": 2,
                "comment": "named counter comment",
                "packets": 45470,
                "bytes": 55119375
            }
        },
        {
            "rule": {
                "family": "inet",
                "table": "example",
                "chain": "input",
                "handle": 3,
                "expr": [
                    {
                        "counter": "named_counter"
                    },
                    {
                        "accept": null
                    }
                ]
            }
        }
    ]
}

This is the output of nft --json list table inet example after it was created from this nftables.conf:

table inet example {
  counter named_counter {
    comment "named counter comment"
  }
  chain input {
    type filter hook input priority filter
    policy drop

    counter name named_counter accept
  }
}

Expected behavior

Plugin finds no relevant counters (because as documented it looks for anonymous counters with comments).

Even better: Plugin finds the named counter and includes it in the output. Maybe the plugin should even exclusively look for named counters, rather than using comments to identify anonymous counters.

Actual behavior

Plugin errors. Any additional supported statistics would not be reported.

Additional info

No response

[skartikey]

Thanks for the detailed report, this matches what I am seeing as well.

Issue analysis

The failure comes from how the nftables plugin parses the JSON output when counters are involved. In the nftables JSON format there are two valid representations:

1. Anonymous (inline) counters are represented as objects, for example:

   {"counter": {"packets": 123, "bytes": 456}}

2. Named counters are represented as string references, for example:

   {"counter": "named_counter"}

At the moment, the expr struct in types.go only supports the first case. When the second form is encountered, Go’s JSON unmarshaler errors out with:

json: cannot unmarshal string into Go struct field expr.expr.counter of type nftables.counter

Proposed fix

The cleanest way to handle this is to add a custom UnmarshalJSON implementation for the expr struct. This would allow us to:

• Properly unmarshal the object form for inline counters.
• Gracefully handle the string form for named counters by skipping it and setting the counter field to nil.

This keeps backward compatibility and avoids hard failures when named counters are present in the ruleset.