Renzo cHv <renzochv@xxxxxxxxxx> wrote: > Hi, I'm using "meters" of nftables to apply rate-limit by source IP address > with state "new" (ct state new - udp) this would block DoS attacks, but when > it is a spoofed flood (IP addresses of random origin) in "nft list meter > filter cnt-meter" thousands of IP addresses are displayed, how many ip does > it support "meters", am I doing the right thing? Yes, you're doing the right thing. meters can accomodate almost arbitrary size (if enough RAM is present). nft 0.8.5 adds a new size keyword to enforce a limit. (I made a mistake which is why this missed 0.8.4 release). I think its a good reason to make another release soon. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
