Re: Timeout in meters is not allowed anymore in 0.8.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

darius <dram@xxxxxxxxxxx> wrote:
> Hi all,
> 
> I just recently updated nftables to v0.8.5. Everything was ok with my
> ruleset in v0.8.2, but after update looks like timeout value is not
> accepted in meters anymore:
> 
> ./ruleset.nft:317:35-54: Error: Could not process rule: Not supported
>         ct state new meter DDoS { ip saddr timeout 10s limit rate over
> 50/second burst 50 packets } set add ip saddr @ddoser set add ip daddr
> @ddosed log group 1 counter drop

Can you send me a example ruleset that triggers thsi problem for you?

This works for me on 4.16 kernel and nft 0.8.5 (git master is fine too):

table ip filter {
        set ddoser {
                type ipv4_addr
                timeout 10s
        }

        set ddosed {
                type ipv4_addr
                timeout 10s
        }

        chain input {
                type filter hook input priority 0; policy accept;
                counter packets 17 bytes 1752
                ct state new meter DDoS size 65536 { ip saddr timeout 10s limit rate over 50/second burst 50 packets}  add @ddoser { ip saddr }  add @ddosed { ip daddr }  log group 1 counter packets 0 bytes 0 drop
        }
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux