Hi everyone,
I have a few questions regarding nft rules/syntax. Hope you can help me out:
1) meter: the wiki doesn't really mention what a meter is/how it works.
By trying out the given examples, I figured out, that it applies the
rules per matching selector, i.e. { ip saddr limit rate 10/second }
would apply the rate limit per saddr, not for all incoming packets.
Is there anything more to know about it?
2) limit: can the rate only be specified by integers or is something
like 0.3/hour or 1/3 hours possible?
3) limit burst: how does burst work? I found something for iptables,
that it is a token bucket, where tokens are removed per incoming packet
and added per rate, i.e. limit rate 1/hour burst 20 would be a bucket
with 20 tokens that restores 1/hour (to maximum of 20). Does it work the
same for nft?
4) nft add rule inet filter input tcp dport ssh ct state new meter
ssh-meter { ip saddr timeout 1d limit rate over 1/hour burst 20 packets
} drop:
I wanted to add a counter to the meter, so that new connections are
counted by saddr.
I tried it like
nft add rule inet filter test tcp dport ssh ct state new meter ssh-meter
{ ip
saddr timeout 1d limit rate over 1/hour burst 20 packets counter } drop
but this gives me:
Error: syntax error, unexpected counter, expecting '}'
Similar when I try:
nft add rule inet filter test tcp dport ssh ct state new meter ssh-meter
{ ip saddr timeout 1d counter limit rate over 1/hour burst 20 packets } drop
So what would be correct syntax to count and ratelimit in one meter? or
do I need to seperate meters here?
for 1 and 3: having these explanations in the wiki would be helpful. I
would also add them myself, is it possible to get an account?
Thx for the patience to read the lengthy questions and any helpful answers!
BR, Christian
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
