On Wed, Aug 07, 2019 at 01:53:12PM +1000, Trent W. Buck wrote:
[...]
> I'm still a bit confused, though -- where does the "map" come in?
> It looks like basically you've done this (below)? Why?
>
> table a {
> chain b {
> … add @my_meter { … } …
> }
> - set my_meter { type … ; flags timeout, dynamic; }
> + map my_meter { type …: counter; flags timeout, dynamic; }
> }
>
> I tried that and works - the ruleset loads, and the lists update as before.
> It's still accessed via "nft list set" not "nft list map" - WTF?
>
> Your "nft list map" showed the counter, but mine didn't (see below) – why?
>
> # nft list set inet ips_demo baddie_meter
> table inet ips_demo {
> map baddie_meter {
> type ipv4_addr . ipv4_addr . inet_service : counter
> size 65535
> flags dynamic,timeout
> timeout 1h
> elements = { 203.7.155.5 . 203.7.155.214 . 22 expires 57m1s528ms limit rate over 1/minute burst 3 packets }
> }
> }
>
> # nft list map inet ips_demo baddie_meter
> Error: No such file or directory
> list map inet ips_demo baddie_meter
> ^^^^^^^^^^^^
This one is a bug in nft 0.9.1, it's fixed in git.netfilter.org:
http://git.netfilter.org/nftables/commit/?id=7d3c01182e883e18050903b9176593c517e4ff91
