On Mon, Sep 28, 2020 at 03:00:59PM +0200, Devin Bayer wrote:
> On 28/09/2020 14.32, Duncan Roe wrote:
> >
> > It used to be the case with meters that you could have limit or counter but not
> > both.
> >
> > I don't know if that is still the case with dynamic sets. If it is, you will
> > have to have 2 sets: 1 with limits and 1 with counters.
> >
> > (counter with limit is ambiguous: do you want to count packets received or
> > packets accepted? Both are do-able with 2 sets).
> >
> > Please post your rules that add set members if you have further questions.
>
> I think it's clear enough in regards to sets in the manpage - I will submit
> a patch for that.
>
> However the situation on the wiki is still unclear. It does show counters
> with limits, but for maps. However, it doesn't show how to create the maps
> or add to them.
> I try something like this:
>
> map flood2 {
> type ipv4_addr : counter;
> size 100000;
> flags dynamic, timeout;
> timeout 1m;
> }
>
> chain prerouting {
> tcp flags syn tcp dport 80 \
> add @flood2 { ip saddr limit rate over 3/minute } \
> log prefix "MAP "
> }
>
> But no luck:
>
>
> /etc/nftables.conf:49:9-14: Error: Could not process rule: Operation not
> supported
Something like this:
table ip x {
set flood2 {
type ipv4_addr
size 100000
flags dynamic,timeout
timeout 1m
elements = { 150.214.188.80 expires 54s752ms limit rate 1/minute burst 1 packets }
}
chain output {
type filter hook output priority filter; policy drop;
ct state new tcp dport 80 add @flood2 { ip daddr limit rate 1/minute burst 1 packets } log prefix "test: " accept
ct state established,related accept
}
}
Only one stateful expression is supported a this stage, either you
have ratelimit or you have counters per elements.
