bugzilla-daemon at netfilter.org
2023-Sep-14 00:03 UTC
[Bug 1703] New: Nftables does not work as expected to block with meter
https://bugzilla.netfilter.org/show_bug.cgi?id=1703 Bug ID: 1703 Summary: Nftables does not work as expected to block with meter Product: nftables Version: 1.0.x Hardware: arm OS: other Status: NEW Severity: normal Priority: P5 Component: iptables-nft Assignee: pablo at netfilter.org Reporter: lpsribeiro at sga.pucminas.br I posted it in question format on this website below because I suspected it was some bad configuration, but after reviewing the command, I believe it could be a bug https://unix.stackexchange.com/questions/756437/nftables-does-not-work-as-expected-to-block-with-meter https://serverfault.com/questions/1143636/nftables-does-not-work-as-expected-to-block-with-meter table netdev filter { set whitelist { type ipv4_addr elements = { 186.248.79.100 } } set blocklist { type ipv4_addr size 65535 flags dynamic,timeout timeout 30s } chain ingress { type filter hook ingress device "eth0" priority -450; policy accept; ip saddr @whitelist accept ip daddr 10.0.0.192 jump input ip daddr != 10.0.0.192 jump forward } chain http { ip saddr 191.185.17.156 counter meter http size 65535 { ip saddr . tcp dport limit rate over 200/second } add @blocklist { ip saddr } counter } chain forward { } chain input { tcp dport vmap { 8000 : jump portainer, 9443 : jump portainer } tcp dport vmap { 80 : jump http } } } I want to count packets whose transfer rate from the Source IP and Destination Port exceeds 200 packets per second, basically, I will do this only for http (chain below) but it's not working. 1. ip saddr 191.185.17.156 counter packets 100 bytes 4920 2. ip saddr 191.185.17.156 meter http size 65535 { ip saddr . tcp dport limit rate over 200/second } add @blocklist { ip saddr } counter packets 73 bytes 3576 How is it possible to have in 1.) only 100 registered packets, and in 2.) 73 registered packets, where 100 is less than 200, therefore the counter of 2. should be at zero, as no packet exceeded the rate of 200 packets per second in saddr:dport. ----------------------- Linux instance-20230908-1140 6.5.2-1.el9.elrepo.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Sep 6 16:59:42 CDT 2023 aarch64 aarch64 aarch64 GNU/Linux Static hostname: instance-20230908-1140 Icon name: computer-vm Chassis: vm -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230914/4920d047/attachment.html>
bugzilla-daemon at netfilter.org
2023-Sep-14 00:06 UTC
[Bug 1703] Nftables does not work as expected to block with meter
https://bugzilla.netfilter.org/show_bug.cgi?id=1703 lpsribeiro at sga.pucminas.br changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lpsribeiro at sga.pucminas.br -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230914/6c696152/attachment.html>