Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> writes: > On Sun, Sep 18, 2022 at 12:49:34PM +0200, Kamil Jońca wrote: > [...] >> For example: >> https://wiki.archlinux.org/title/Nftables#Dynamic_blackhole >> --8<---------------cut here---------------start------------->8--- >> ct state new tcp dport 443 \ >> meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second } \ >> add @blackhole { ip saddr timeout 1m } >> --8<---------------cut here---------------end--------------->8--- >> >> I understand " add @blackhole { ip saddr timeout 1m }" - adds address to >> set for 1 min. >> but what is >> "meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second }" >> >> (I can guess but I cannot see proper doc of this) >> Any hint? > > I'd suggest you use a set declaration for this, instead of the meter syntax. > > This example shows how to ratelimit new connections to 10 per second: > [... snip ...] Thank you. After some digging and reading manual (especially "SET STATEMET" ) i wrote similar thing (two tables flood +blaclist, etc) So thanks for confirmation. :) The only thing is " set flood { type ipv4_addr flags dynamic timeout 1m limit rate over 10/second size 65536 } " I did not found "limit" statement in set definition in manual. Am I overlooked something? KJ -- http://wolnelektury.pl/wesprzyj/teraz/
