<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Nftables does not work as expected to block with meter"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1703">1703</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Nftables does not work as expected to block with meter
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>1.0.x
</td>
</tr>
<tr>
<th>Hardware</th>
<td>arm
</td>
</tr>
<tr>
<th>OS</th>
<td>other
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>iptables-nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>lpsribeiro@sga.pucminas.br
</td>
</tr></table>
<p>
<div>
<pre>I posted it in question format on this website below because I suspected it was
some bad configuration, but after reviewing the command, I believe it could be
a bug
<a href="https://unix.stackexchange.com/questions/756437/nftables-does-not-work-as-expected-to-block-with-meter">https://unix.stackexchange.com/questions/756437/nftables-does-not-work-as-expected-to-block-with-meter</a>
<a href="https://serverfault.com/questions/1143636/nftables-does-not-work-as-expected-to-block-with-meter">https://serverfault.com/questions/1143636/nftables-does-not-work-as-expected-to-block-with-meter</a>
table netdev filter {
set whitelist {
type ipv4_addr
elements = { 186.248.79.100 }
}
set blocklist {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 30s
}
chain ingress {
type filter hook ingress device "eth0" priority -450; policy accept;
ip saddr @whitelist accept
ip daddr 10.0.0.192 jump input
ip daddr != 10.0.0.192 jump forward
}
chain http {
ip saddr 191.185.17.156 counter
meter http size 65535 { ip saddr . tcp dport limit rate over 200/second
} add @blocklist { ip saddr } counter
}
chain forward { }
chain input {
tcp dport vmap { 8000 : jump portainer, 9443 : jump portainer }
tcp dport vmap { 80 : jump http }
}
}
I want to count packets whose transfer rate from the Source IP and Destination
Port exceeds 200 packets per second, basically, I will do this only for http
(chain below) but it's not working.
1. ip saddr 191.185.17.156 counter packets 100 bytes 4920
2. ip saddr 191.185.17.156 meter http size 65535 { ip saddr . tcp dport limit
rate over 200/second } add @blocklist { ip saddr } counter packets 73 bytes
3576
How is it possible to have in 1.) only 100 registered packets, and in 2.) 73
registered packets, where 100 is less than 200, therefore the counter of 2.
should be at zero, as no packet exceeded the rate of 200 packets per second in
saddr:dport.
-----------------------
Linux instance-20230908-1140 6.5.2-1.el9.elrepo.aarch64 #1 SMP PREEMPT_DYNAMIC
Wed Sep 6 16:59:42 CDT 2023 aarch64 aarch64 aarch64 GNU/Linux
Static hostname: instance-20230908-1140
Icon name: computer-vm
Chassis: vm </pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>