[Bug 1267] New: unable to use limit with counter in meters

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Jul 2 14:03:14 CEST 2018 

https://bugzilla.netfilter.org/show_bug.cgi?id=1267

            Bug ID: 1267
           Summary: unable to use limit with counter in meters
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: karel at unitednetworks.cz

It looks like nft doesnt allow counter after limit inside of meter.

counter after limit:
--------------------

localhost ~ # nft add rule filter INPUT icmp type echo-request meter
icmp-spammer { ip saddr limit rate over 10/second burst 30 packets counter}
counter drop
Error: syntax error, unexpected counter, expecting '}'
add rule filter INPUT icmp type echo-request meter icmp-spammer { ip saddr
limit rate over 10/second burst 30 packets counter} counter drop


counter before limit (just for test):
-------------------------------------
                                                                               
                                                  localhost ~ # nft add rule
filter INPUT icmp type echo-request meter icmp-spammer { ip saddr counter limit
rate over 10/second burst 30 packets} counter drop
Error: syntax error, unexpected limit, expecting '}'
add rule filter INPUT icmp type echo-request meter icmp-spammer { ip saddr
counter limit rate over 10/second burst 30 packets} counter drop


without counter adding rule works:
----------------------------------

localhost ~ # nft add rule filter INPUT icmp type echo-request meter
icmp-spammer { ip saddr limit rate over 10/second burst 30 packets} counter
drop


Without limit counter in meter works, e.g.:
-------------------------------------------

localhost ~ # nft add rule filter INPUT icmp type echo-request meter icmp-meter
{ ip saddr counter }   



Expected behaviour: counter after limit inside meter should count packets/bytes
which got through limit (which are under limit, or when using "over" keyword
which are over limit).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180702/93ce52ce/attachment.html>

More information about the netfilter-buglog mailing list