Re: Limiting connections with nft

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote:
> nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop

This limits each dport : ip saddr combination to 200 packets per second.
This doesn't make a lot of sense to me.

Also, why include "tcp dport" inside the {} ?
The rule only matches port 80 anyway.

> I was able to rewrite the rule to the following form:
> 
> nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr } limit rate over 200/second counter drop

Hmm, that looks like a bug.  I'm not sure how this can work, or what it
should do.  The closing } comes too soon, the meter misses the
expression to instantiate.

I guess you're looking for "ct count"?

add rule ip filter INPUT tcp dport 80 ct state new meter http1 { ip saddr ct count over 100 } counter drop



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux