On 28/09/2020 04.10, Duncan Roe wrote:
Hi Davin,
Thanks for the reply Duncan.
a) from b):
Note that the meter keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.
I see. In that case, I would like to update the man page to use the new
syntax. The examples there use meter, but without any explanation.
For example the blacklist example:
nft add rule ip filter input tcp flags syn tcp dport ssh meter flood
size 128000 { ip saddr timeout 10s limit rate over 10/second} add
@blackhole { ip saddr timeout 1m } drop
So would this be the set equivalent?
set flood {
type ipv4_addr;
size 128000;
flags dynamic, timeout;
timeout 1m;
}
...
tcp flags syn tcp dport ssh \
add @flood { ip saddr limit rate over 10/second } \
add @blackhole { ip saddr timeout 1m } drop
Is there a map equivalent? I couldn't get anything to work.
b) Still documented at https://wiki.nftables.org/wiki-nftables/index.php/Meters,
but the examples are updated to use dynamic sets.
It's quite confusing and doesn't work as described though.
c) counters in dynamic sets are special: you get a counter for each set member.
Right - but how can I see the counters? If you look at my example I just
see this:
3.10.95.11 . 22 expires 14s492ms limit rate 10/second,
~ Devin
