On Mon, Sep 28, 2020 at 04:47:00PM +0000, ѽ҉ᶬḳ℠ wrote: > To get a flexible evaluation period for the count value: > > * ct state { new , invalid } update @glv4 { ip saddr ct count over 50 > timeout 1s } log flags all prefix "glv4 DROP: " drop > > update set element for any saddr that exceeds the count of 50 within 1 s for > ct state new | invalid > > > * ct state { new , invalid } update @glv4 { ip saddr ct count over 75 > timeout 1s } log flags all prefix "glv4 DROP: " drop > > update set element for any saddr that exceeds the count of 75 within 1 h for > ct state new | invalid > > > * ct state { new , invalid } update @glv4 { ip saddr ct count over 75 > timeout 1s } log flags all prefix "glv4 DROP: " drop > > update set element for any saddr that exceeds the count of 150 within 1 d > for ct state new | invalid Thanks, these are looking better, although still not correct. Two issues: * 'ct count' relies on the connection tracking table. This is counting the number of existing connections in this table according to your key, ie. ip saddr. You do not have to specify timeouts here because it is the connection tracking time that governs when the conntrack entries expire. * You have to use 'add' instead of 'update'. Update makes sense to refresh timeouts when they are in place, but there is no timeouts in this case. Therefore, make sure you define the dynamic set with not timeouts at all when combining this with ct count. Using 'update' in your rule with ct count and/or 'timeout' in your set definition will make you hit "Operation not supported". Error reporting will get better sooner or later to provide more hints on why this makes no sense, meanwhile, documentation will probably help fill the gap.