Hello These are my Test-Rules how to understand "meter"... in a local simulation against synflag-flooding. Regular Traffic will be accepted, an unregular amount of packets will be dropped. As you can see, for all unregular Packets (forced by me) the SADDR is temporarly stored in the table "synflg-meter". How can I use those entries to block the IP completely until the timer is off. Is that even possible? table ip tfilter { chain input { type filter hook input priority 0; policy accept; ct state established,related accept tcp flags syn limit rate 1/second burst 3 packets accept tcp flags syn meter synflg-meter size 0 { ip saddr timeout 15s limit rate over 1/second } reject with tcp reset } } table ip tfilter { meter synflg-meter { type ipv4_addr flags timeout elements = { 10.10.1.49 expires 9s660ms : limit rate over 1/second } } } Thank you and best regards Tom