Hi folks, I have a ruleset that I'm migrating from iptables to
nftables. The translation tool used meters for some hashlimit rules,
and I currently have the following lines after some modifications:
tcp dport 22 meter ssh size 65535 { ip saddr timeout 1m limit rate
1/minute burst 1 packets } counter packets 0 bytes 0 accept
ip saddr $trusted_hosts tcp dport 22 meter trustedssh { ip saddr
timeout 1m limit rate 1/minute burst 2 packets} counter accept
The intention is to allow trusted hosts to connect three times within
a minute, but for other hosts to only be allowed to connect once per
minute. This works fine, but uses the meters feature which the
nftables wiki says is obsolete. I have two sets of questions:
1) What are the main downsides of using meters as shown above? Even
the nft wiki Metering page [1] uses meters for hashlimit rules from
iptables, which lends some appearance of endorsement. Will meters go
away in the future?
2) If I wanted to replicate the above behavior using sets, how would I
do so? I spent some time trying to make it work, and modified RedHat's
guide [2] to replicate the behavior of the first rule, but I can't
figure out a way to exempt the trusted hosts.
[1] https://wiki.nftables.org/wiki-nftables/index.php/Meters#Doing_iptables_hashlimit_with_nft
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections
Thanks a million!
--Mike
