nft 0.8.2 - literal map clashing with meter?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The rules below are working fine until trying to map ips/ports and I
cannot comprehend how/why this is bound to happen...

nft add rule nat prerouting dnat tcp dport map { 61023:179.x.x.x,
61023:172.25.120.2 }

Error: Could not process rule: Device or resource busy
add rule nat prerouting dnat tcp dport map { 61023:179.x.x.x,
61023:172.25.120.2 }
                                                                       
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
_________________________________

table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                oif "ens3" masquerade
        }
}
table ip raw {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
        }

        chain postrouting {
                type filter hook postrouting priority 100; policy accept;
        }
}
table inet filter {
        set tuc {
                type inet_proto
                flags constant
                elements = { tcp, udp }
        }

        set dd {
                type inet_proto
                flags constant
                elements = { 53, 67 }
        }

        set icmp_he {
                type inet_proto
                flags constant
                elements = { egp, 13, 15, udp }
        }

        chain input {
                type filter hook input priority 0; policy drop;
                ct state established,related accept
                tcp dport 56009 accept
                udp dport 61023 accept
                icmp type { echo-request, timestamp-request,
info-request, address-mask-request } drop
                iif "lo" accept
                iifname "br*" tcp dport domain accept
                iifname "br*" udp dport domain accept
                iifname "br*" tcp dport bootps accept
                iifname "br*" udp dport bootps accept
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                oifname "br*" accept
                iifname "br*" accept
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table netdev filter {
        chain nic {
                type filter hook ingress device ens3 priority 0; policy
accept;
                meter global-meter { ip saddr limit rate 50/second burst
25 packets}  continue
                tcp dport 56009 meter ssh-meter { ip saddr limit rate
10/minute burst 3 packets}  accept
                udp dport 61023 meter ovpn-meter { ip saddr limit rate
10/hour burst 7 packets}  accept
        }
}
table bridge filter {
        chain input {
                type filter hook input priority -200; policy accept;
        }

        chain forward {
                type filter hook forward priority -200; policy accept;
        }

        chain output {
                type filter hook output priority -200; policy accept;
        }
}

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux