Re: Timeout in meters is not allowed anymore in 0.8.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ok, I have tried. Here is whole test script:

#!/usr/sbin/nft -f

table ip ipv4_filter{

    # Sets
    set ddoser{
        type ipv4_addr; timeout 24h;
    }

    set ddosed{
        type ipv4_addr; timeout 24h;
    }
  
    # IN chain
    chain fl_input{
        type filter hook input priority 0; policy accept;

        ct state new meter DDoS { ip saddr timeout 10s limit rate over
50/second burst 50 packets}  add @ddoser { ip saddr }  add @ddosed { ip
daddr } counter accept
    }
}

Error I got is the same (below). I haven't had this behaviour with 0.8.2
on the same machine. I'm running on kernel v4.14.43

root@myrouter:/etc/config# nft -f ./test.nft
./test.nft:18:35-54: Error: Could not process rule: Not supported
        ct state new meter DDoS { ip saddr timeout 10s limit rate over
50/second burst 50 packets}  add @ddoser { ip saddr }  add @ddosed { ip
daddr } counter accept
                                  ^^^^^^^^^^^^^^^^^^^^
./test.nft:18:9-165: Error: Could not process rule: No such file or
directory
        ct state new meter DDoS { ip saddr timeout 10s limit rate over
50/second burst 50 packets}  add @ddoser { ip saddr }  add @ddosed { ip
daddr } counter accept
      
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/Darius

On 25-05-2018 22:51, Florian Westphal wrote:
> darius <dram@xxxxxxxxxxx> wrote:
>> Hi all,
>>
>> I just recently updated nftables to v0.8.5. Everything was ok with my
>> ruleset in v0.8.2, but after update looks like timeout value is not
>> accepted in meters anymore:
>>
>> ./ruleset.nft:317:35-54: Error: Could not process rule: Not supported
>>         ct state new meter DDoS { ip saddr timeout 10s limit rate over
>> 50/second burst 50 packets } set add ip saddr @ddoser set add ip daddr
>> @ddosed log group 1 counter drop
> Can you send me a example ruleset that triggers thsi problem for you?
>
> This works for me on 4.16 kernel and nft 0.8.5 (git master is fine too):
>
> table ip filter {
>         set ddoser {
>                 type ipv4_addr
>                 timeout 10s
>         }
>
>         set ddosed {
>                 type ipv4_addr
>                 timeout 10s
>         }
>
>         chain input {
>                 type filter hook input priority 0; policy accept;
>                 counter packets 17 bytes 1752
>                 ct state new meter DDoS size 65536 { ip saddr timeout 10s limit rate over 50/second burst 50 packets}  add @ddoser { ip saddr }  add @ddosed { ip daddr }  log group 1 counter packets 0 bytes 0 drop
>         }
> }

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux