Clarification on the functioning of "ct count"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Posting this again without HTML formatting in case the first mail has
been rejected. I have questions about how exactly using "ct count" or
"ct count over" in dynamic nft sets works. I want to implement nft
rules for the following use cases:
1. Limit the max TCP sessions from one host to 5000.
2. Limit the max TCP sessions to one host to 5000.

I tried using 'ct count' for the 1st use case. I have questions about
how exactly using "ct count" or "ct count over" in dynamic nft sets
work.
https://wiki.nftables.org/wiki-nftables/index.php/Meters#Doing_connlimit_with_nft
I tried the example from the above link: (For testing, just changed
the "ct count over 20" part to "ct count over 3" & for my use case I
would change it to 5000.)
'''
table ip filter {
set my_connlimit {
type ipv4_addr
size 65535
flags dynamic
}

chain output {
type filter hook output priority filter; policy accept;
ct state new add @my_connlimit { ip saddr ct count over 3 } counter drop
}
}
'''
I have a setup of 3 machines (VMs).
Host machine: 192.168.56.1
Then on virtualbox, I set up 2 VMs.
Machine 1: 192.168.56.101
Machine 2: 192.168.56.103
I put the above nft rules on "Machine 1".
I have recorded videos.
Left half of the screen: Top 4 terminal windows are from the "host machine".
Left half of the screen: Bottom 4 terminal windows are from the "Machine 2".
Right half of the screen: Output on "Machine 1" for the commands:
'sudo conntrack -L' & 'sudo nft list table ip filter'. We can monitor
the actual conntrack tables entries on "Machine 1" & the nft set
elements in the my_connlimit set on "Machine 1".
Then I tried the following test- "Test 1".

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux