nftables read counters as non-root user

It looks as though Linux capability CAP_NET_ADMIN enables reading the counter.

Eg, start a shell for a non-root user, with CAP_NET_ADMIN:

capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" --keep=1 --user=myuser --addamb=cap_net_admin -- -c "sh"

From that shell, /usr/sbin/nft list counter my_table my_counter runs successfully.

But, it also allows doing other things, such as changing firewall rules, adding new counters or deleting existing counters.