On Wed, 10 Apr 2024 22:40:53 +0100 Kerin Millar wrote: > For the avoidance of doubt, please show the complete ruleset that you > are attempting to load. # cat connlimit-example #!/usr/sbin/nft -f flush ruleset table ip filter { set my_connlimit { type ipv4_addr size 65535 flags dynamic } chain output { type filter hook output priority filter; policy accept; ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop } } # nft flush ruleset # nft list ruleset # ./connlimit-example ./connlimit-example:14:16-62: Error: Could not process rule: No such file or directory ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # nft list ruleset # # nft -V nftables v1.0.6 (Lester Gooch #5) cli: editline json: yes minigmp: no libxtables: yes # > Additionally, compare the output of "uname -r" to the contents of the > /lib/modules directory. Sometimes, people upgrade their kernels then > forget to reboot before trying to load a ruleset that requires for > one or more kernel modules to be newly loaded. Everything is up-to-date and rebooted (many times). # lsmod | grep -E '^nf' nft_flow_offload 16384 0 nf_flow_table_inet 16384 0 nf_flow_table 40960 2 nft_flow_offload,nf_flow_table_inet nf_conntrack_netlink 57344 0 nft_limit 16384 0 nf_log_syslog 24576 0 nft_log 16384 0 nft_nat 16384 0 nft_reject_ipv6 16384 0 nf_reject_ipv6 20480 1 nft_reject_ipv6 nft_reject_ipv4 16384 0 nf_reject_ipv4 16384 1 nft_reject_ipv4 nft_reject 16384 2 nft_reject_ipv6,nft_reject_ipv4 nft_ct 20480 0 nft_masq 16384 0 nft_chain_nat 16384 0 nf_nat 57344 3 nft_nat,nft_masq,nft_chain_nat nf_conntrack 167936 7 nf_nat,nft_flow_offload,nft_ct,nft_nat,nf_conntrack_netlink,nft_masq,nf_flow_table nf_defrag_ipv6 24576 1 nf_conntrack nf_defrag_ipv4 16384 1 nf_conntrack nf_tables 307200 11 nft_reject_ipv6,nft_reject_ipv4,nft_flow_offload,nft_ct,nft_log,nft_nat,nft_masq,nft_chain_nat,nft_limit,nf_flow_table_inet,nft_reject nfnetlink 20480 2 nf_conntrack_netlink,nf_tables