On Wed, 10 Apr 2024 22:40:53 +0100 Kerin Millar wrote:
> For the avoidance of doubt, please show the complete ruleset that you
> are attempting to load.
# cat connlimit-example
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
set my_connlimit {
type ipv4_addr
size 65535
flags dynamic
}
chain output {
type filter hook output priority filter; policy accept;
ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop
}
}
# nft flush ruleset
# nft list ruleset
# ./connlimit-example
./connlimit-example:14:16-62: Error: Could not process rule: No such file or directory
ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft list ruleset
#
# nft -V
nftables v1.0.6 (Lester Gooch #5)
cli: editline
json: yes
minigmp: no
libxtables: yes
#
> Additionally, compare the output of "uname -r" to the contents of the
> /lib/modules directory. Sometimes, people upgrade their kernels then
> forget to reboot before trying to load a ruleset that requires for
> one or more kernel modules to be newly loaded.
Everything is up-to-date and rebooted (many times).
# lsmod | grep -E '^nf'
nft_flow_offload 16384 0
nf_flow_table_inet 16384 0
nf_flow_table 40960 2 nft_flow_offload,nf_flow_table_inet
nf_conntrack_netlink 57344 0
nft_limit 16384 0
nf_log_syslog 24576 0
nft_log 16384 0
nft_nat 16384 0
nft_reject_ipv6 16384 0
nf_reject_ipv6 20480 1 nft_reject_ipv6
nft_reject_ipv4 16384 0
nf_reject_ipv4 16384 1 nft_reject_ipv4
nft_reject 16384 2 nft_reject_ipv6,nft_reject_ipv4
nft_ct 20480 0
nft_masq 16384 0
nft_chain_nat 16384 0
nf_nat 57344 3 nft_nat,nft_masq,nft_chain_nat
nf_conntrack 167936 7 nf_nat,nft_flow_offload,nft_ct,nft_nat,nf_conntrack_netlink,nft_masq,nf_flow_table
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
nf_tables 307200 11 nft_reject_ipv6,nft_reject_ipv4,nft_flow_offload,nft_ct,nft_log,nft_nat,nft_masq,nft_chain_nat,nft_limit,nf_flow_table_inet,nft_reject
nfnetlink 20480 2 nf_conntrack_netlink,nf_tables
