Re: bug report and future request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Martin Zaharinov <micron10@xxxxxxxxx> wrote:
> if have 1k rule
> 
> table inet nft-qos-static {
>         chain upload {
>                 type filter hook postrouting priority filter; policy accept;
>                 ip saddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop
> .........
> ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop
>         }

1k rules? Thats insane.  Don't do that.
There is no need for that many rules, its also super slow.

Use a static/immutable ruleset with a named set and then add/remove elements from the set.

table inet nft-qos-static {
	set limit_ul {
		typeof ip saddr
		flags dynamic
		elements = { 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes }
	}

	chain upload {
		type filter hook postrouting priority filter; policy accept;
		ip saddr @limit_ul drop
	}
}

static ruleset: no need to add/delete a rule:

nft add element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes  }"
nft delete element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"

You can add/delete multiple elements in { }, sepearate by ",".




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux