Hi Guys I'm diving into nftables and I'm playng with rules to understand how it works. Does limit has any rule, as it can be used only after log ? Look below. 3 parts that I just reorganized them. table inet filter chain input type filter hook input priority 0; policy accept; counter packets 7077 bytes 690164 tcp sport http counter packets 54 bytes 15716 log prefix "acesso a porta 80" flags all counter packets 54 bytes 15716 limit rate 10 bytes/minute counter packets 0 bytes 0 counter packets 7077 bytes 690164 tcp sport http counter packets 54 bytes 15716 limit rate 10 bytes/minute counter packets 0 bytes 0 log prefix "acesso a porta 80" flags all counter packets 0 bytes 0 counter packets 7077 bytes 690164 limit rate 10 bytes/minute counter packets 0 bytes 0 tcp sport http counter packets 0 bytes 0 log prefix "acesso a porta 80" flags all counter packets 0 bytes 0 If I insert limit as first place ( last rule) all counter remain 0. It is ok or I shouldn't insert limit as first place As I understand reading first rule( just below) counter packets 7077 bytes 690164 tcp sport http counter packets 54 bytes 15716 log prefix "acesso a porta 80" flags all counter packets 54 bytes 15716 limit rate 10 bytes/minute counter packets 0 bytes 0 count all packages ( ipv4 and ipv6) which enter filter input. (counter packets 7077 bytes 690164) see if them are part of tcp sport 80 - (tcp sport http) count this packages that pass from part of rule above - (counter packets 54 bytes 15716 ) log packages and count them - log prefix "acesso a porta 80" flags all counter packets 54 bytes 15716 ( as I can see packages/bytes are the same as tcp sport80 counter) - limit rate them to 10 bytes/minute and count them - 10 bytes/minute counter packets 0 bytes 0 ????? this should be equal or less them counter above? or at least 10 bytes ??? And rule 1 and 2 are same in terms of counter but rule 3 is totally different... Am I doing anything wrong? Thanks for your time. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
