Martin Zaharinov <micron10@xxxxxxxxx> wrote:
> if have 1k rule
>
> table inet nft-qos-static {
> chain upload {
> type filter hook postrouting priority filter; policy accept;
> ip saddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop
> .........
> ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop
> }
1k rules? Thats insane. Don't do that.
There is no need for that many rules, its also super slow.
Use a static/immutable ruleset with a named set and then add/remove elements from the set.
table inet nft-qos-static {
set limit_ul {
typeof ip saddr
flags dynamic
elements = { 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes }
}
chain upload {
type filter hook postrouting priority filter; policy accept;
ip saddr @limit_ul drop
}
}
static ruleset: no need to add/delete a rule:
nft add element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"
nft delete element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"
You can add/delete multiple elements in { }, sepearate by ",".
