kernel 5.9.0-rc6 armv7l | nft 0.9.6
------
(1) netdev rate limiting
/table netdev filter {//
// set glv4 {//
// type ipv4_addr//
// size 65535//
// flags dynamic,timeout//
// counter//
// timeout 15m//
// gc-interval 10s//
// }//
// chain input {//
// type filter hook ingress device "eth2" priority -500;
policy accept;//
// ip saddr @glv4 counter packets 0 bytes 0 log prefix
"nd glv4 DROP" flags all drop//
// }
/Then however
/nft add rule netdev filter input ip protocol tcp { ip saddr limit rate
over 50/second burst 15 packets } update @glv4 { ip saddr }/
producing:
Error: syntax error, unexpected saddr, expecting comma or '}'
add rule netdev filter input ip protocol tcp { ip saddr limit rate over
50/second burst 15 packets } update @glv4 { ip saddr }
^^^^^
Is rate limiting not meant for the netdev chain or where do I go wrong
with the syntax?
----
(2) timeouts
Like in the above statement is the timeout applicable to the entire set,
i.e. the entire gets wiped after 15 min, or the timeout applies
selectively to each entry?
Perusing
https://www.netfilter.org/projects/nftables/manpage.html#lbANhttps://www.netfilter.org/projects/nftables/manpage.html#lbAN
/nft add rule ip filter input tcp flags syn tcp dport ssh meter flood
size 128000 { ip saddr *timeout 10s* limit rate over 10/second} add
@blackhole { ip saddr *timeout 1m* } drop
/I fail to comprehend what the first statement (/timeout 10s/) achieves;
what is the purpose?
As for the second statement (/timeout 1m/) I am wondering whether it
would clash with or supersede the statement in the set (e.g. /timeout
15m/ as in the above example)?
//
Attachment:
OpenPGP_0xF4F735931F05C5CE.asc
Description: application/pgp-keys
