Meters need an explicit timeout that we cannot skip, otherwise entries remain in the set forever. This fixes the following translation: $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j DROP that was skipping the timeout option: nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr limit rate over 200 kbytes/second burst 1 mbytes} counter drop Reported-by: Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- extensions/libxt_hashlimit.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index 3fa5719127db..f85f2d3a179a 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -1341,8 +1341,7 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name, xt_xlate_add(xl, "flow table %s {", name); ret = hashlimit_mode_xlate(xl, cfg->mode, family, cfg->srcmask, cfg->dstmask); - if (cfg->expire != 1000) - xt_xlate_add(xl, " timeout %us", cfg->expire / 1000); + xt_xlate_add(xl, " timeout %us", cfg->expire / 1000); xt_xlate_add(xl, " limit rate"); if (cfg->mode & XT_HASHLIMIT_INVERT) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html