On 06/04/2019 21:59, Florian Westphal wrote:
> Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote:
>> nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
>
> This limits each dport : ip saddr combination to 200 packets per second.
> This doesn't make a lot of sense to me.
>
> Also, why include "tcp dport" inside the {} ?
> The rule only matches port 80 anyway
It's just the example from the wiki. I haven't changed anything.
>> I was able to rewrite the rule to the following form:
>>
>> nft add rule ip filter INPUT tcp dport 80 meter http1 { tcp dport . ip saddr } limit rate over 200/second counter drop
>
> Hmm, that looks like a bug. I'm not sure how this can work, or what it
> should do. The closing } comes too soon, the meter misses the
> expression to instantiate.
>
> I guess you're looking for "ct count"?
>
> add rule ip filter INPUT tcp dport 80 ct state new meter http1 { ip saddr ct count over 100 } counter drop
>
I'm playing with the rules just to know how they work.
Attachment:
signature.asc
Description: OpenPGP digital signature
