Hi guys, i'm hoping you clarify nftables usage of the kernels conntrack.
I've been having some ddos attacks on my dns servers so I used the notrack flag to avoid filling the conntrack table like so:
> add table ip raw
> add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
> add rule ip raw PREROUTING iif eno1 ip protocol {tcp, udp} th dport 53 counter notrack
But then i though of also rate limiting by ipv4 source address, i was wandering if you could clarify in the case of the usage of the "limit" functionality if nftables is using the conntrack table or its own memory for the following config for the purpose of tracking the amount of packets that already arrived on the interface by source IP.
> add set my_filter_table dns_meter { type ipv4_addr . inet_service\; flags timeout, dynamic \;}
> add rule my_filter_table my_input_chain tcp dport 53 ct state new add u/dns_meter { ip saddr . tcp dport timeout 60s limit rate 20/second } accept
