darius <dram@xxxxxxxxxxx> wrote:
> Ok, I have tried. Here is whole test script:
>
> #!/usr/sbin/nft -f
>
> table ip ipv4_filter{
>
> # Sets
> set ddoser{
> type ipv4_addr; timeout 24h;
> }
>
> set ddosed{
> type ipv4_addr; timeout 24h;
> }
>
> # IN chain
> chain fl_input{
> type filter hook input priority 0; policy accept;
>
> ct state new meter DDoS { ip saddr timeout 10s limit rate over
> 50/second burst 50 packets} add @ddoser { ip saddr } add @ddosed { ip
> daddr } counter accept
> }
> }
>
> Error I got is the same (below). I haven't had this behaviour with 0.8.2
> on the same machine. I'm running on kernel v4.14.43
This probably triggers a kernel bug then.
Does it work when you change this:
ct state new meter DDoS { ip ...
to this?
ct state new meter DDoS size 0 { ip ...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
