influxdata · skartikey · Nov 20, 2025 · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025
diff --git a/plugins/inputs/all/nftables.go b/plugins/inputs/all/nftables.go
@@ -0,0 +1,5 @@
+//go:build !custom || inputs || inputs.nftables
+
+package all
+
+import _ "github.com/influxdata/telegraf/plugins/inputs/nftables" // register plugin
diff --git a/plugins/inputs/nftables/README.md b/plugins/inputs/nftables/README.md
@@ -0,0 +1,86 @@
+# Nftables Plugin
+
+The nftables plugin gathers packets and bytes counters for rules within
+Linux's nftables firewall.
+
+Rules are identified through associated comment.
+**Rules without comment are ignored**.
+
+Before using this plugin **you must ensure that the rules you want to monitor
+are named with a unique comment**. Comments are added using the 'comment
+"my comment"' nftables options.
+
+The nftables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities.
+You have several options to grant telegraf to run nftables:
+
+* Run telegraf as root. This is strongly discouraged.
+* Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW.
+This is the simplest and recommended option.
+* Configure sudo to grant telegraf to run nftables. This is the most restrictive
+ option, but requires sudo setup.
+
+⭐ Telegraf v1.37.0
+🏷️  network, system
+💻 linux
+
+## Using systemd capabilities
+
+You may run `systemctl edit telegraf.service` and add the following:
+
+```text
+[Service]
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
+```
+
+Since telegraf will fork a process to run nftables, `AmbientCapabilities` is
+required to transmit the capabilities bounding set to the forked process.
+
+## Using sudo
+
+You may edit your sudo configuration with the following:
+
+```sudo
+telegraf ALL=(root) NOPASSWD: /usr/bin/nft *
+```
+
+## Global configuration options <!-- @/docs/includes/plugin_config.md -->
+
+In addition to the plugin-specific configuration settings, plugins support
+additional global and plugin configuration settings. These settings are used to
+modify metrics, tags, and field or create aliases and configure ordering, etc.
+See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
+
+[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins
+
+## Configuration
+
+```toml
+  # use sudo to run nftables
+  use_sudo = false
+  # defines the table to monitor:
+  tables = ["filter"]
+```
+
+## Tags
+
+* All measurements have the following tags:
+  * table
+  * chain
+  * ruleid
+
+The `ruleid` is the comment associated to the rule.
+
+## Metrics
+
+* nftables
+  * pkts (integer, count)
+  * bytes (integer, bytes)
+
+## Example Output
+
+```bash
+$ ./telegraf --config telegraf.conf --input-filter nftables --test
+> nftables,chain=incoming,host=my_hostname,ruleid=comment_val_1,table=filter bytes=66435845i,pkts=133882i 1757367516000000000
+> nftables,chain=outgoing,host=my_hostname,ruleid=comment_val2,table=filter bytes=25596512i,pkts=145129i 1757367516000000000
+```
diff --git a/plugins/inputs/nftables/nftables.go b/plugins/inputs/nftables/nftables.go
@@ -0,0 +1,188 @@
+//go:generate ../../../tools/readme_config_includer/generator
+//go:build linux
+
+package nftables
+
+import (
+	_ "embed"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os/exec"
+
+	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/plugins/inputs"
+)
+
+const measurement = "nftables"
+
+type Nftables struct {
+	UseSudo bool   `toml:"use_sudo"`
+	Binary  string `toml:"binary"`
+	Tables  []string
+}
+
+//go:embed sample.conf
+var sampleConfig string
+
+type Nftable struct {
+	Metainfo          *Metainfo
+	Rules             []*Rule
+	JSONSchemaVersion int `json:"json_schema_version"`
+}
+
+// UnmarshalJSON handles custom parsing of the nftable output which is
+// designed in a generic that is not compatible with the generic parser.
+func (nftable *Nftable) UnmarshalJSON(b []byte) error {
+	var atable map[string][]map[string]json.RawMessage
+	if err := json.Unmarshal(b, &atable); err != nil {
+		return fmt.Errorf("unable to unmarshal: %s", b)
+	}
+	// []map[string]interface
+	nfthings := atable["nftables"]
+	for _, nfthing := range nfthings {
+		hasKey := func(key string) bool { _, ok := nfthing[key]; return ok }
+		switch {
+		case hasKey("metainfo"):
+			var mi Metainfo
+			err := json.Unmarshal(nfthing["metainfo"], &mi)
+			if err != nil {
+				return fmt.Errorf("unable to parse metadata: %w", err)
+			}
+			nftable.Metainfo = &mi
+		case hasKey("rule"):
+			var r Rule
+			err := json.Unmarshal(nfthing["rule"], &r)
+			if err != nil {
+				return fmt.Errorf("unable to parse rule: %w", err)
+			}
+			nftable.Rules = append(nftable.Rules, &r)
+		default:
+			// something we are not parsing
+		}
+	}
+	return nil
+}
+
+type Metainfo struct {
+	Version           string `json:"version"`
+	ReleaseName       string `json:"release_name"`
+	JSONSchemaVersion int    `json:"json_schema_version"`
+}
+
+type Rule struct {
+	Family  string
+	Table   string
+	Chain   string
+	Comment string
+	Counter *Counter
+}
+
+// UnmarshalJSON handles properly extracting the counter expression from
+// the Exprs array input
+func (rule *Rule) UnmarshalJSON(b []byte) error {
+	var raw struct {
+		Family  string                       `json:"family"`
+		Table   string                       `json:"table"`
+		Chain   string                       `json:"chain"`
+		Comment string                       `json:"comment"`
+		Exprs   []map[string]json.RawMessage `json:"expr"`
+	}
+	if err := json.Unmarshal(b, &raw); err != nil {
+		return fmt.Errorf("unable to unmarshal: %s", b)
+	}
+	rule.Family = raw.Family
+	rule.Table = raw.Table
+	rule.Chain = raw.Chain
+	rule.Comment = raw.Comment
+
+	// iterate rule expressions looking for the single counter
+	for _, expr := range raw.Exprs {
+		hasKey := func(key string) bool { _, ok := expr[key]; return ok }
+		if hasKey("counter") {
+			rule.Counter = &Counter{}
+			if err := json.Unmarshal(expr["counter"], rule.Counter); err != nil {
+				return fmt.Errorf("unable to parse counter: %w", err)
+			}
+			// we can return early since we are not looking for anything else
+			return nil
+		}
+	}
+	return nil
+}
+
+type Counter struct {
+	Packets int64 `json:"packets"`
+	Bytes   int64 `json:"bytes"`
+}
+
+func (*Nftables) SampleConfig() string {
+	return sampleConfig
+}
+
+func (*Nftables) Init() error {
+	return nil
+}
+
+func (nft *Nftables) Gather(acc telegraf.Accumulator) error {
+	if len(nft.Tables) == 0 {
+		return errors.New("invalid configuration - expected a 'Tables' entry with list of nftables to monitor")
+	}
+	for _, table := range nft.Tables {
+		err := nft.getTableData(table, acc)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// List a specific table and add to Accumulator
+func (nft *Nftables) getTableData(tableName string, acc telegraf.Accumulator) error {
+	var binary string
+	if nft.Binary != "" {
+		binary = nft.Binary
+	} else {
+		binary = "nft"
+	}
+	nftablePath, err := exec.LookPath(binary)
+	if err != nil {
+		return errors.New("failed to find nft command ")
+	}
+	var args []string
+	name := nftablePath
+	if nft.UseSudo {
+		name = "sudo"
+		args = append(args, nftablePath)
+	}
+	args = append(args, "--json", "list", "table", tableName)
+	c := exec.Command(name, args...)
+	out, err := c.Output()
+	if err != nil {
+		return fmt.Errorf("error executing %s, error: %w", c, err)
+	}
+	return parseNftableOutput(out, acc)
+}
+
+func parseNftableOutput(out []byte, acc telegraf.Accumulator) error {
+	var nftable Nftable
+	err := json.Unmarshal(out, &nftable)
+	if err != nil {
+		return fmt.Errorf("error parsing: %s, Error: %w", out, err)
+	}
+	for _, rule := range nftable.Rules {
+		// Rule must have a Counter and a Comment
+		if rule.Counter != nil && len(rule.Comment) > 0 {
+			fields := map[string]interface{}{"bytes": rule.Counter.Bytes, "pkts": rule.Counter.Packets}
+			tags := map[string]string{"table": rule.Table, "chain": rule.Chain, "ruleid": rule.Comment}
+			acc.AddFields(measurement, fields, tags)
+		}
+	}
+	return nil
+}
+
+func init() {
+	inputs.Add("nftables", func() telegraf.Input {
+		return &Nftables{}
+	})
+}
diff --git a/plugins/inputs/nftables/nftables_notlinux.go b/plugins/inputs/nftables/nftables_notlinux.go
@@ -0,0 +1,33 @@
+//go:generate ../../../tools/readme_config_includer/generator
+//go:build !linux
+
+package nftables
+
+import (
+	_ "embed"
+
+	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/plugins/inputs"
+)
+
+//go:embed sample.conf
+var sampleConfig string
+
+type Nftables struct {
+	Log telegraf.Logger `toml:"-"`
+}
+
+func (*Nftables) SampleConfig() string { return sampleConfig }
+
+func (i *Nftables) Init() error {
+	i.Log.Warn("Current platform is not supported")
+	return nil
+}
+
+func (*Nftables) Gather(_ telegraf.Accumulator) error { return nil }
+
+func init() {
+	inputs.Add("nftables", func() telegraf.Input {
+		return &Nftables{}
+	})
+}