Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote:
> # nft list chain inet filter INPUT
>
> table inet filter {
> chain INPUT {
> ...
> meta nfproto { ipv4, ipv6 } log prefix "* INPUT * " limit rate 1/minute burst 1 packets counter packets 1 bytes 84 reject comment "Reject all connections"
> counter packets 31 bytes 2604 drop
> }
> }
>
> According to the output above, only 1 packets hits the first rule
> and the rest goes to the second rule and should be silently dropped.
> But syslog received 32 messages in the rate of 2 per second.
I'd expect 'log' to be not limited at all.
limit rate .... log prefix ...
should work.
