On 28/09/2020 14.32, Duncan Roe wrote:
It used to be the case with meters that you could have limit or counter but not
both.
I don't know if that is still the case with dynamic sets. If it is, you will
have to have 2 sets: 1 with limits and 1 with counters.
(counter with limit is ambiguous: do you want to count packets received or
packets accepted? Both are do-able with 2 sets).
Please post your rules that add set members if you have further questions.
I think it's clear enough in regards to sets in the manpage - I will
submit a patch for that.
However the situation on the wiki is still unclear. It does show
counters with limits, but for maps. However, it doesn't show how to
create the maps or add to them.
I try something like this:
map flood2 {
type ipv4_addr : counter;
size 100000;
flags dynamic, timeout;
timeout 1m;
}
chain prerouting {
tcp flags syn tcp dport 80 \
add @flood2 { ip saddr limit rate over 3/minute } \
log prefix "MAP "
}
But no luck:
/etc/nftables.conf:49:9-14: Error: Could not process rule: Operation
not supported
map flood2 {
Basically, I would like to update the wiki page so it provides workable
examples.
~ Devin
