Hi Florian Look good this config but not work after set user not limit by speed. table inet nft-qos-static { set limit_ul { typeof ip saddr flags dynamic elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes } } set limit_dl { typeof ip saddr flags dynamic elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes } } chain upload { type filter hook postrouting priority filter; policy accept; ip saddr @limit_ul drop } chain download { type filter hook prerouting priority filter; policy accept; ip saddr @limit_dl drop } } With this config user with ip 10.0.0.1 not limited to 5 mbytes , When back to this config : table inet nft-qos-static { chain upload { type filter hook postrouting priority filter; policy accept; ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop } chain download { type filter hook prerouting priority filter; policy accept; ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop } } User is limited perfect. may be i miss something? Martin > On 21 Mar 2022, at 23:27, Florian Westphal <fw@xxxxxxxxx> wrote: > > Martin Zaharinov <micron10@xxxxxxxxx> wrote: >> if have 1k rule >> >> table inet nft-qos-static { >> chain upload { >> type filter hook postrouting priority filter; policy accept; >> ip saddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop >> ......... >> ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop >> } > > 1k rules? Thats insane. Don't do that. > There is no need for that many rules, its also super slow. > > Use a static/immutable ruleset with a named set and then add/remove elements from the set. > > table inet nft-qos-static { > set limit_ul { > typeof ip saddr > flags dynamic > elements = { 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes } > } > > chain upload { > type filter hook postrouting priority filter; policy accept; > ip saddr @limit_ul drop > } > } > > static ruleset: no need to add/delete a rule: > > nft add element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }" > nft delete element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }" > > You can add/delete multiple elements in { }, sepearate by ",". >