Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote: > nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop This limits each dport : ip saddr combination to 200 packets per second. This doesn't make a lot of sense to me. Also, why include "tcp dport" inside the {} ? The rule only matches port 80 anyway. > I was able to rewrite the rule to the following form: > > nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr } limit rate over 200/second counter drop Hmm, that looks like a bug. I'm not sure how this can work, or what it should do. The closing } comes too soon, the meter misses the expression to instantiate. I guess you're looking for "ct count"? add rule ip filter INPUT tcp dport 80 ct state new meter http1 { ip saddr ct count over 100 } counter drop