Documentation

Telegraf

  • Telegraf v1.37.0+

Nftables Plugin

This plugin gathers packets and bytes counters for rules within Linux’s nftables firewall, as well as set element counts.

Introduced in: Telegraf v1.37.0 Tags: network, system OS support: linux

Global configuration options

Plugins support additional global and plugin configuration settings for tasks such as modifying metrics, tags, and fields, creating aliases, and configuring plugin ordering. See CONFIGURATION.md for more details.

Configuration

[[inputs.nftables]]
  ## Use the specified binary which will be looked-up in PATH
  # binary = "nft"

  ## Use sudo for command execution, can be restricted to
  ## "nft --json list table"
  # use_sudo = false

  ## Tables to monitor (may use "family table" format, e.g., "inet filter")
  # tables = [ "filter" ]

  ## Kinds of objects to monitor: "counters" (named counters), "sets",
  ## (named sets), "anonymous-counters" (on commented rules).
  # include = ["anonymous-counters"]

Since telegraf will fork a process to run nftables, AmbientCapabilities is required to transmit the capabilities bounding set to the forked process.

Using sudo

You may edit your sudo configuration with the following:

telegraf ALL=(root) NOPASSWD: /usr/bin/nft --json list table *

Metrics

Counters (when counters included):

  • nftables
    • tags:
      • table
      • counter
    • fields:
      • pkts (integer, count)
      • bytes (integer, bytes)

Sets (when sets included):

  • nftables
    • tags:
      • table
      • set
    • field:
      • count (integer, count)

Anonymous counters on commented rules (when anonymous-counters included):

  • nftables
    • tags:
      • table
      • chain
      • rule – comment associated to the rule
    • fields:
      • pkts (integer, count)
      • bytes (integer, bytes)

Example Output

> nftables,host=my_hostname,counter=my_counter,table=filter bytes=48968i,pkts=48i 1757367516000000000
> nftables,host=my_hostname,set=my_set,table=filter count=10i 1757367516000000000
> nftables,chain=incoming,host=my_hostname,rule=comment_val_1,table=filter bytes=66435845i,pkts=133882i 1757367516000000000
> nftables,chain=outgoing,host=my_hostname,rule=comment_val_2,table=filter bytes=25596512i,pkts=145129i 1757367516000000000

Was this page helpful?

Thank you for your feedback!

© 2026 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

  • InfluxDB Cloud
  • InfluxDB OSS or Enterprise
AWS

  • US West (Oregon)

GCP
Azure
Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

InfluxDB 3.9: Performance upgrade preview

InfluxDB 3 Enterprise 3.9 includes a beta of major performance upgrades with faster single-series queries, wide-and-sparse table support, and more.

InfluxDB 3 Enterprise 3.9 includes a beta of major performance and feature updates.

Key improvements:

  • Faster single-series queries
  • Consistent resource usage
  • Wide-and-sparse table support
  • Automatic distinct value caches for reduced latency with metadata queries

Preview features are subject to breaking changes.

For more information, see:

Telegraf Enterprise now in public beta

Get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

See the Blog Post

The upcoming Telegraf Enterprise offering is for organizations running Telegraf at scale and is comprised of two key components:

  • Telegraf Controller: A control plane (UI + API) that centralizes Telegraf configuration management and agent health visibility.
  • Telegraf Enterprise Support: Official support for Telegraf Controller and Telegraf plugins.

Join the Telegraf Enterprise beta to get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

For more information:

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On May 27, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2