On Wed, Nov 20, 2024 at 09:17:13AM +0100, Slavko wrote:
> Dňa 19. 11. o 19:00 Slavko napísal(a):
> > On 19. novembra 2024 16:06:17 UTC, Florian Westphal <fw@xxxxxxxxx> wrote:
> >
> > > Looks like 5.10 is too old, listing should show limit expression was
> > > attached, i.e.:
> >
> > Thanks, i will try with meter tomorrow...
>
> Yes, with meter it works:
>
> nft list meter inet filter base_log4
> table inet filter {
> meter base_log4 {
> type ipv4_addr
> size 65535
> flags dynamic,timeout
> elements = { 10.60.65.78 limit rate 1/minute burst 2
> packets timeout 1h expires 59m58s208ms }
> }
> }
According to your original example, you could use:
set log_base4 {
typeof ip saddr
size 1000
flags dynamic,timeout
limit rate 1/minute burst 2 packets
timeout 1h
comment "IPv4 base log limit"
}
chain input {
type filter hook input priority filter + 5; policy accept;
...
update @log_base4 { ip saddr limit rate 1/minute burst 2 packets } log group 0
}
ie. replace
update @log_base4 { ip saddr } log group 0
by:
update @log_base4 { ip saddr limit rate 1/minute burst 2 packets } log group 0
5.10 is lacking this patch:
commit fca05d4d61e65fa573a3768f9019a42143c03349
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Sat Jan 16 12:26:46 2021 +0100
netfilter: nft_dynset: honor stateful expressions in set definition
