Posting this again without HTML formatting in case the first mail has been rejected. I have questions about how exactly using "ct count" or "ct count over" in dynamic nft sets works. I want to implement nft rules for the following use cases: 1. Limit the max TCP sessions from one host to 5000. 2. Limit the max TCP sessions to one host to 5000. I tried using 'ct count' for the 1st use case. I have questions about how exactly using "ct count" or "ct count over" in dynamic nft sets work. https://wiki.nftables.org/wiki-nftables/index.php/Meters#Doing_connlimit_with_nft I tried the example from the above link: (For testing, just changed the "ct count over 20" part to "ct count over 3" & for my use case I would change it to 5000.) ''' table ip filter { set my_connlimit { type ipv4_addr size 65535 flags dynamic } chain output { type filter hook output priority filter; policy accept; ct state new add @my_connlimit { ip saddr ct count over 3 } counter drop } } ''' I have a setup of 3 machines (VMs). Host machine: 192.168.56.1 Then on virtualbox, I set up 2 VMs. Machine 1: 192.168.56.101 Machine 2: 192.168.56.103 I put the above nft rules on "Machine 1". I have recorded videos. Left half of the screen: Top 4 terminal windows are from the "host machine". Left half of the screen: Bottom 4 terminal windows are from the "Machine 2". Right half of the screen: Output on "Machine 1" for the commands: 'sudo conntrack -L' & 'sudo nft list table ip filter'. We can monitor the actual conntrack tables entries on "Machine 1" & the nft set elements in the my_connlimit set on "Machine 1". Then I tried the following test- "Test 1".