About adding a nft rule to limit opensearch connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi I am trying to apply the nft rule to limit the connections on
opernsearch port 9200.
I successfully limit the number of connections for SSH port. used
following rule to limit the same
Following rules are applied on server side machines(opensearch and sshd)

~] cat rule.nft
{
flush ruleset
table ip filter {
        set test-22-count-meter {
                type ipv4_addr
                size 65535
                flags dynamic
        }
        chain INPUT {
                type filter hook input priority filter - 5; policy drop;
                ct state new tcp dport 22 update @test-22-count-meter
{ ip saddr & 255.255.255.0 ct count over 5  } counter packets 0 bytes
0 reject
                iifname "eth0" tcp dport 22 counter packets 0 bytes 0 accept
        }
  ----
  ----
  }
}

Same thing, I am trying to limit the connections for port 9200, but it
seems the rule is not behaving properly, it is blocking connection
(zero connection accepted).

~] cat rule.nft
{
flush ruleset
table ip filter {
        set test-9200-count-meter {
                type ipv4_addr
                size 65535
                flags dynamic
        }
        chain INPUT {
                type filter hook input priority filter - 5; policy drop;
                ct state new tcp dport 9200 update
@test-9200-count-meter { ip saddr & 255.255.255.0 ct count over 5  }
counter packets 0 bytes 0 reject
                iifname "eth0" tcp dport 9200 counter packets 0 bytes 0 accept
        }
  ----
  ----
  }
}


Am I missing any kernel modules which should be enabled, or following
some wrong format?
Also, when ESTABLISH it holds the connections though clients are disconnected.

-- 
--Regards
Vishwanath




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux