All of lore.kernel.org
 help / color / mirror / Atom feed
* nftables rate limit logging and then drop
@ 2015-12-02 22:43 Robert Sander
  2015-12-09 21:44 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Robert Sander @ 2015-12-02 22:43 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 576 bytes --]

Hi,

How do I implement something like this in nftables:

iptables -A INPUT -m conntrack --ctstate INVALID -m limit --limit 3/m --limit-burst 5 -j LOG --log-level debug --log-prefix "INVALID DROP: "
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Kindest Regards
-- 
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: 
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: nftables rate limit logging and then drop
  2015-12-02 22:43 nftables rate limit logging and then drop Robert Sander
@ 2015-12-09 21:44 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-09 21:44 UTC (permalink / raw)
  To: Robert Sander; +Cc: netfilter, Shivani Bhardwaj

On Wed, Dec 02, 2015 at 11:43:01PM +0100, Robert Sander wrote:
> Hi,
> 
> How do I implement something like this in nftables:
> 
> iptables -A INPUT -m conntrack --ctstate INVALID -m limit --limit 3/m --limit-burst 5 -j LOG --log-level debug --log-prefix "INVALID DROP: "
> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

The translation is:

nft add rule filter input ct state invalid \
        limit rate 3/minute burst 5 packets \
        log level debug prefix \"INVALID DROP: \" counter
nft add rule filter input ct state invalid counter drop

Note that rule counters are optional in nftables, unlikely iptables
where we always have them on.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-12-09 21:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-02 22:43 nftables rate limit logging and then drop Robert Sander
2015-12-09 21:44 ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.