Hi Kerin,
Thanks again .
I have changed it for two reasons , because of the errors
nft add set ip filter myrate "{ type ipv4_addr . inet_service; flags
timeout ; }"
nft add rule ip filter INPUT tcp dport 8000 ct state new update
@myrate { ip saddr . th dport timeout 10s limit rate over 1/day burst
15 packets } counter drop
Error: Could not process rule: Invalid argument
add rule ip filter INPUT tcp dport 8000 ct state new update @myrate {
ip saddr . th dport timeout 10s limit rate over 1/day burst 15 packets
} counter drop
After the above error I have changed it to below , In one use case -
the below never resets , Say If I send only one message per second all
the time , the below rule will stop at 10th second and the next
message will be accepted only after 10 seconds. This is not correct
when we are sending one 1 message per second it has to accept it ,
because we are not sending all the 15 messages in one second.
table ip filter {
set ratelimit {
type ipv4_addr
flags dynamic
timeout 10s
}
chain INPUT {
type filter hook input priority filter; policy accept;
tcp dport 8000 ct state new update @ratelimit { ip saddr limit
rate over 1/day burst 15 packets} drop
}
Thanks
Sreedhar
On Fri, Mar 8, 2024 at 2:04 AM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
>
> On Thu, 7 Mar 2024, at 5:10 PM, Sreedhar M wrote:
> > Thanks Kerin for the Info.
> >
> > The workaround is not fulfilling . The use case for me is multiple
> > seconds combination.
> > I Wanted to keep new connections, at given every 10 seconds period I
> > don't won't to allow more than 15 connections
> >
> > Let me explain , as I Wanted to accept new connections, at given every
> > 10 seconds period I don't won't to allow more than 15 connections .
> >
> > With the below rule, ex: say on a src client If I run 15 connections
> > in one second because of 15 packets burst the rule will accept, from
> > 2nd second onwards it accepts 1 each second until it reaches 10
>
> You have to set the interval long enough for the bucket refill rate to be immaterial (1/day is the longest possible interval). The example had it as 1/hour; I do not know why you reduced it to 1/second.
>
> --
> Kerin Millar
--
Best Regards
Sreedhar
