Hello,
I was using meters by using 'meter' keyword, but apparently it is now
obsolete. So, I have decided to update rules and use dynamic sets
instead. For some reason I'm getting an error stating that rule is not
supported. Here is what was working before and still works:
ct state new meter mymeter { ip saddr timeout 30s limit rate over
50/second burst 50 packets } counter drop
Then I have tried to update this rule to the following:
...
set mymeter{
type ipv4_addr; flags timeout, dynamic;
}
...
ct state new add @mymeter { ip saddr timeout 30s limit rate over
50/second burst 50 packets } counter drop
In this case nft throws fault message:
root@HOMEROUTER:/etc/config# /etc/init.d/firewall reload
/etc/config/ruleset.nft:416:9-187: Error: Could not process rule: Not
supported
ct state new add @mymeter { ip saddr timeout 30s limit rate over
50/second burst 50 packets } counter drop
I'm running OpenWRT, kernel v4.14.167, nft v.0.9.2
Could anyone help to find out what I'm doing wrong? It seems that I did
it according to wiki.
Regards
Attachment:
signature.asc
Description: OpenPGP digital signature
