Hi I am trying to apply the nft rule to limit the connections on opernsearch port 9200. I successfully limit the number of connections for SSH port. used following rule to limit the same Following rules are applied on server side machines(opensearch and sshd) ~] cat rule.nft { flush ruleset table ip filter { set test-22-count-meter { type ipv4_addr size 65535 flags dynamic } chain INPUT { type filter hook input priority filter - 5; policy drop; ct state new tcp dport 22 update @test-22-count-meter { ip saddr & 255.255.255.0 ct count over 5 } counter packets 0 bytes 0 reject iifname "eth0" tcp dport 22 counter packets 0 bytes 0 accept } ---- ---- } } Same thing, I am trying to limit the connections for port 9200, but it seems the rule is not behaving properly, it is blocking connection (zero connection accepted). ~] cat rule.nft { flush ruleset table ip filter { set test-9200-count-meter { type ipv4_addr size 65535 flags dynamic } chain INPUT { type filter hook input priority filter - 5; policy drop; ct state new tcp dport 9200 update @test-9200-count-meter { ip saddr & 255.255.255.0 ct count over 5 } counter packets 0 bytes 0 reject iifname "eth0" tcp dport 9200 counter packets 0 bytes 0 accept } ---- ---- } } Am I missing any kernel modules which should be enabled, or following some wrong format? Also, when ESTABLISH it holds the connections though clients are disconnected. -- --Regards Vishwanath