[Bug 1703] New: Nftables does not work as expected to block with meter

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Sep 14 02:03:42 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1703

            Bug ID: 1703
           Summary: Nftables does not work as expected to block with meter
           Product: nftables
           Version: 1.0.x
          Hardware: arm
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables-nft
          Assignee: pablo at netfilter.org
          Reporter: lpsribeiro at sga.pucminas.br

I posted it in question format on this website below because I suspected it was
some bad configuration, but after reviewing the command, I believe it could be
a bug

https://unix.stackexchange.com/questions/756437/nftables-does-not-work-as-expected-to-block-with-meter

https://serverfault.com/questions/1143636/nftables-does-not-work-as-expected-to-block-with-meter

table netdev filter {
    set whitelist {
        type ipv4_addr
        elements = { 186.248.79.100 }
    }

    set blocklist {
        type ipv4_addr
        size 65535
        flags dynamic,timeout
        timeout 30s
    }

    chain ingress {
        type filter hook ingress device "eth0" priority -450; policy accept;
        ip saddr @whitelist accept
        ip daddr 10.0.0.192 jump input
        ip daddr != 10.0.0.192 jump forward
    }

    chain http {
        ip saddr 191.185.17.156 counter
        meter http size 65535 { ip saddr . tcp dport limit rate over 200/second
} add @blocklist { ip saddr } counter
    }

    chain forward { }

    chain input {
        tcp dport vmap { 8000 : jump portainer, 9443 : jump portainer }
        tcp dport vmap { 80 : jump http }
    }
}

I want to count packets whose transfer rate from the Source IP and Destination
Port exceeds 200 packets per second, basically, I will do this only for http
(chain below) but it's not working.

1. ip saddr 191.185.17.156 counter packets 100 bytes 4920

2. ip saddr 191.185.17.156 meter http size 65535 { ip saddr . tcp dport limit
rate over 200/second } add @blocklist { ip saddr } counter packets 73 bytes
3576

How is it possible to have in 1.) only 100 registered packets, and in 2.) 73
registered packets, where 100 is less than 200, therefore the counter of 2.
should be at zero, as no packet exceeded the rate of 200 packets per second in
saddr:dport.


-----------------------

Linux instance-20230908-1140 6.5.2-1.el9.elrepo.aarch64 #1 SMP PREEMPT_DYNAMIC
Wed Sep  6 16:59:42 CDT 2023 aarch64 aarch64 aarch64 GNU/Linux

 Static hostname: instance-20230908-1140
       Icon name: computer-vm
         Chassis: vm 

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230914/4920d047/attachment.html>

More information about the netfilter-buglog mailing list