Christian Schneider <christian@xxxxxxxx> wrote:
> Hi everyone,
> I have a few questions regarding nft rules/syntax. Hope you can help me out:
> 1) meter: the wiki doesn't really mention what a meter is/how it works.
> By trying out the given examples, I figured out, that it applies the
> rules per matching selector, i.e. { ip saddr limit rate 10/second }
> would apply the rate limit per saddr, not for all incoming packets.
> Is there anything more to know about it?
You probably also want to set a timeout, i.e.
meter test { ip saddr timeout 30s ip saddr limit ...
Its basically just a much more generic version of iptables' hashlimit.
You can also inspect contents of meters and flush contents.
(nft list meters, nft flush meter inet filter test).
> 2) limit: can the rate only be specified by integers or is something
> like 0.3/hour or 1/3 hours possible?
0.3 per hour isn't supported at the moment (1/hour is).
> 3) limit burst: how does burst work? I found something for iptables,
> that it is a token bucket, where tokens are removed per incoming packet
> and added per rate, i.e. limit rate 1/hour burst 20 would be a bucket
> with 20 tokens that restores 1/hour (to maximum of 20). Does it work the
> same for nft?
nft limit is also a TBF, so, yes.
> 4) nft add rule inet filter input tcp dport ssh ct state new meter
> ssh-meter { ip saddr timeout 1d limit rate over 1/hour burst 20 packets
> } drop:
> I wanted to add a counter to the meter, so that new connections are
> counted by saddr.
> I tried it like
> nft add rule inet filter test tcp dport ssh ct state new meter ssh-meter
> { ip
> saddr timeout 1d limit rate over 1/hour burst 20 packets counter } drop
> but this gives me:
> Error: syntax error, unexpected counter, expecting '}'
> Similar when I try:
> nft add rule inet filter test tcp dport ssh ct state new meter ssh-meter
> { ip saddr timeout 1d counter limit rate over 1/hour burst 20 packets } drop
>
> So what would be correct syntax to count and ratelimit in one meter? or
> do I need to seperate meters here?
You currently need separate meters, it currenly only supports
only a single expression.
> for 1 and 3: having these explanations in the wiki would be helpful. I
> would also add them myself, is it possible to get an account?
Sure, hold on, you'll have mail.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
