On Fri, 8 Mar 2024, at 10:19 AM, Sreedhar M wrote:
> Great Kerin. Thank you so much for the support.
>
> With the below rules specially using 'add' and all my uses cases are working.
> nft add set ip filter myrate { type ipv4_addr . inet_service; flags
> timeout ; flags dynamic; timeout 10s; }
> nft add rule ip filter INPUT tcp dport 7880 ct state new add @myrate {
> ip saddr . th dport limit rate over 1/day burst 15 packets } counter
> drop
One more thing occurs to me. Now that you are using "add" and, given that "1/day" might otherwise appear confusing in the course of reviewing a ruleset, you could probably get away with changing the element template to:
{ ip saddr . th dport limit rate over 6/minute burst 15 packets }
Consider it optional; the behaviour should not change at all. Still, it does, perhaps, better hint at the underlying policy i.e. something should happen after 10 (60/6) seconds. Normally, that would be the bucket being credited with a token but it is my understanding that the timeout policy should prevail.
--
Kerin Millar
