On 06/02/2020 22:42, darius wrote:
Hello,
I was using meters by using 'meter' keyword, but apparently it is now
obsolete.
If not mistaken the intention is to replace meter with native set / map
syntax but meter not yet being depreciated/retired.
So, I have decided to update rules and use dynamic sets
instead. For some reason I'm getting an error stating that rule is not
supported. Here is what was working before and still works:
ct state new meter mymeter { ip saddr timeout 30s limit rate over
50/second burst 50 packets } counter drop
Then I have tried to update this rule to the following:
...
set mymeter{
type ipv4_addr; flags timeout, dynamic;
}
...
ct state new add @mymeter { ip saddr timeout 30s limit rate over
50/second burst 50 packets } counter drop
In this case nft throws fault message:
root@HOMEROUTER:/etc/config# /etc/init.d/firewall reload
/etc/config/ruleset.nft:416:9-187: Error: Could not process rule: Not
supported
ct state new add @mymeter { ip saddr timeout 30s limit rate over
50/second burst 50 packets } counter drop
I'm running OpenWRT, kernel v4.14.167, nft v.0.9.2
Could anyone help to find out what I'm doing wrong? It seems that I did
it according to wiki.
Regards
Are NFT SETS otherwise working? If so then probably it is due to the
inhabitation of the kernel version 4.14.x, least my understanding is
that some SETS related features are only available as of kernel 4.15 | 4.18.
If SETS however generally printing the error then it likely would be
caused by an unset kernel build configuration flag.
