[PATCH] nft: migrate man page examples with `meter` directive to sets

[Devin Bayer <dev@doubly.so>]

Hello,

this updates the two examples in the man page that use the obsolete 
`meter` to use sets. I also fixed a bit of formatting for the conntrack 
expressions.

Thanks,
Devin

---
  doc/payload-expression.txt | 12 +++++++-----
  doc/statements.txt         | 29 +++++++++++++++++++----------
  2 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index e6f108b1..e2beb8be 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -642,6 +642,8 @@ zone id is tied to the given direction. +
  *ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
  *ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}

+The conntrack-specific types in this table are described in the 
sub-section CONNTRACK TYPES above.
+
  .Conntrack expressions
  [options="header"]
  |==================
@@ -698,15 +700,15 @@ integer (64 bit)
  conntrack zone |
  integer (16 bit)
  |count|
-count number of connections
+number of current connections|
  integer (32 bit)
  |id|
-Connection id
-ct_id
+Connection id|
+ct_id|
  |==========================================
-A description of conntrack-specific types listed above can be found 
sub-section CONNTRACK TYPES above.

  .restrict the number of parallel connections to a server
  --------------------
-filter input tcp dport 22 meter test { ip saddr ct count over 2 } reject
+nft add set filter ssh_flood '{ type ipv4_addr; flags dynamic; }'
+nft filter input tcp dport 22 add @ssh_flood '{ ip saddr ct count over 
2 }' reject
  --------------------
diff --git a/doc/statements.txt b/doc/statements.txt
index 9155f286..9cbae019 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -704,8 +704,17 @@ blacklists.

  .Example for simple blacklist
  -----------------------------
-# declare a set, bound to table "filter", in family "ip". Timeout and 
size are mandatory because we will add elements from packet path.
-nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; size 
65536; }"
+# declare a set, bound to table "filter", in family "ip".
+# Timeout and size are mandatory because we will add elements from 
packet path.
+# Entries will timeout after one minute, after which they might be
+# re-added if limit condition persists.
+nft add set ip filter blackhole \
+    "{ type ipv4_addr; timeout 1m; size 65536 }"
+
+# declare a set to store the limit per saddr.
+# This must be separate from blackhole since the timeout is different
+nft add set ip filter flood \
+    "{ type ipv4_addr; flags dynamic; timeout 10s; size 128000 }"

  # whitelist internal interface.
  nft add rule ip filter input meta iifname "internal" accept
@@ -713,17 +722,17 @@ nft add rule ip filter input meta iifname 
"internal" accept
  # drop packets coming from blacklisted ip addresses.
  nft add rule ip filter input ip saddr @blackhole counter drop

-# add source ip addresses to the blacklist if more than 10 tcp 
connection requests occurred per second and ip address.
-# entries will timeout after one minute, after which they might be 
re-added if limit condition persists.
-nft add rule ip filter input tcp flags syn tcp dport ssh meter flood 
size 128000 { ip saddr timeout 10s limit rate over 10/second} add 
@blackhole { ip saddr timeout 1m } drop
+# add source ip addresses to the blacklist if more than 10 tcp connection
+# requests occurred per second and ip address.
+nft add rule ip filter input tcp flags syn tcp dport ssh \
+    add @flood { ip saddr limit rate over 10/second } \
+    add @blackhole { ip saddr } drop

-# inspect state of the rate limit meter:
-nft list meter ip filter flood
-
-# inspect content of blackhole:
+# inspect state of the sets.
+nft list set ip filter flood
  nft list set ip filter blackhole

-# manually add two addresses to the set:
+# manually add two addresses to the blackhole.
  nft add element filter blackhole { 10.2.3.4, 10.23.1.42 }
  -----------------------------------------------

--
2.25.1