https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server I believe in this example ct will accept echo-request regardless of the rate limit. To fix it, the line > icmp type echo-request limit rate 5/second accept Must be followed by > icmp type echo-request drop Also the same for icmpv6. And ct must be moved to the end of the chain. I suggest this is changed in the wiki. Thanks, Nuno
