Perfect! It works. Thanks Florian.
Will rule still be executed the same way?
/Darius
On 26-05-2018 09:16, Florian Westphal wrote:
> darius <dram@xxxxxxxxxxx> wrote:
>> Ok, I have tried. Here is whole test script:
>>
>> #!/usr/sbin/nft -f
>>
>> table ip ipv4_filter{
>>
>> # Sets
>> set ddoser{
>> type ipv4_addr; timeout 24h;
>> }
>>
>> set ddosed{
>> type ipv4_addr; timeout 24h;
>> }
>>
>> # IN chain
>> chain fl_input{
>> type filter hook input priority 0; policy accept;
>>
>> ct state new meter DDoS { ip saddr timeout 10s limit rate over
>> 50/second burst 50 packets} add @ddoser { ip saddr } add @ddosed { ip
>> daddr } counter accept
>> }
>> }
>>
>> Error I got is the same (below). I haven't had this behaviour with 0.8.2
>> on the same machine. I'm running on kernel v4.14.43
> This probably triggers a kernel bug then.
>
> Does it work when you change this:
> ct state new meter DDoS { ip ...
>
> to this?
>
> ct state new meter DDoS size 0 { ip ...
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
