Nftables: Allow max 10 new connections per second to ports 80, 443 from any one client IP-address
by scporse from LinuxQuestions.org on (#5MBX6)
I'm trying to set up Nftables to allow max 10 new connections per second to ports 80, 443 from any one client IP-address.
My environment:
Distro: Debian 10
Linux kernel: 4.19.0-16-amd64
Nftables version: 0.9.0
So, for nftables.conf, I've defined first a set to store the IP-addresses of all http clients:
table inet filter {
set http_clients {
type ipv4_addr
flags timeout
size 65536
}
Then, in my input chain, I have this rule, which causes nftables to fail in reloading:
Code: chain input {
# Drop everything incoming unless explicitly allowed below
type filter hook input priority 0; policy drop;
ct state new tcp dport { 80, 443 } add @http_meter { ip saddr timeout 60s limit rate 10/second } accept comment "Allow no more than 10 http connections per client, per second"
<additional rules here...>Besides from the above rule, I've tried some variations as posted on different forums but nothing seems to work and no matter what I try, I get this same error when restarting nftables to apply the altered nftables.conf file:
Code:nft[29888]: /etc/nftables.conf:27:79-83: Error: syntax error, unexpected limit, expecting colon or '}'
nft[29888]: ct state new tcp dport { 80, 443 } add @http_meter { ip saddr timeout 60s limit rate 10/second } accept comment "Allow no more than 10 http connections per client, per second"
nft[29888]: ^^^^^
systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: nftables.service: Failed with result 'exit-code'.
systemd[1]: Failed to start nftables.What am I doing wrong?
FYI, if I remove "limit rate 10/second" part from the rule, then things work ok, I can successfully restart nftables and IP-addresses are shown when doing "sudo nft list set inet filter http_clients".
My environment:
Distro: Debian 10
Linux kernel: 4.19.0-16-amd64
Nftables version: 0.9.0
So, for nftables.conf, I've defined first a set to store the IP-addresses of all http clients:
table inet filter {
set http_clients {
type ipv4_addr
flags timeout
size 65536
}
Then, in my input chain, I have this rule, which causes nftables to fail in reloading:
Code: chain input {
# Drop everything incoming unless explicitly allowed below
type filter hook input priority 0; policy drop;
ct state new tcp dport { 80, 443 } add @http_meter { ip saddr timeout 60s limit rate 10/second } accept comment "Allow no more than 10 http connections per client, per second"
<additional rules here...>Besides from the above rule, I've tried some variations as posted on different forums but nothing seems to work and no matter what I try, I get this same error when restarting nftables to apply the altered nftables.conf file:
Code:nft[29888]: /etc/nftables.conf:27:79-83: Error: syntax error, unexpected limit, expecting colon or '}'
nft[29888]: ct state new tcp dport { 80, 443 } add @http_meter { ip saddr timeout 60s limit rate 10/second } accept comment "Allow no more than 10 http connections per client, per second"
nft[29888]: ^^^^^
systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: nftables.service: Failed with result 'exit-code'.
systemd[1]: Failed to start nftables.What am I doing wrong?
FYI, if I remove "limit rate 10/second" part from the rule, then things work ok, I can successfully restart nftables and IP-addresses are shown when doing "sudo nft list set inet filter http_clients".