search for: avgpkt

...the other direction and connbytes supports matching also only in the other direction If the two views above turn out to be true this leads me to wonder that (unless the conntrack refuses to track packets with bad checksums), could one crash computers matching all incoming packets with the "avgpkt" mode of connbytes simply by sending a SYN packet with bad IP or TCP checksum? I've attached a patch based on hidden's comments on irc, it simply checks against packets == 0 and in case it is, the average packet size is set to 0 instead of performing the division (by zero). The val...

...This is useful to restore quota between reboots. * Add ct average matching, to match average bytes per packet a connection has transferred so far, to map the existing feature available in the iptables connbytes match. eg. match average pkt in both directions: # nft add rule x y ct avgpkt gt 100 eg. match avgpkt in original direction: # nft add rule x y ct original avgpkt gt 200 * Allow to flush maps and flow tables, eg. # nft flush map filter map1 # nft flush flow table filter ft-https * Allow to embed set definition into an existing set, eg. # nft -f ru...