From: "William N." <netfilter@riseup.net>
To: netfilter@vger.kernel.org
Subject: Re: connlimit from wiki.nftables.org not working
Date: Thu, 11 Apr 2024 16:54:12 -0000 [thread overview]
Message-ID: <20240411165412.0f0c65ce@localhost> (raw)
In-Reply-To: <f0514bc1-c1dd-4f24-97e5-8c40807dbae9@app.fastmail.com>
On Wed, 10 Apr 2024 22:40:53 +0100 Kerin Millar wrote:
> For the avoidance of doubt, please show the complete ruleset that you
> are attempting to load.
# cat connlimit-example
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
set my_connlimit {
type ipv4_addr
size 65535
flags dynamic
}
chain output {
type filter hook output priority filter; policy accept;
ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop
}
}
# nft flush ruleset
# nft list ruleset
# ./connlimit-example
./connlimit-example:14:16-62: Error: Could not process rule: No such file or directory
ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft list ruleset
#
# nft -V
nftables v1.0.6 (Lester Gooch #5)
cli: editline
json: yes
minigmp: no
libxtables: yes
#
> Additionally, compare the output of "uname -r" to the contents of the
> /lib/modules directory. Sometimes, people upgrade their kernels then
> forget to reboot before trying to load a ruleset that requires for
> one or more kernel modules to be newly loaded.
Everything is up-to-date and rebooted (many times).
# lsmod | grep -E '^nf'
nft_flow_offload 16384 0
nf_flow_table_inet 16384 0
nf_flow_table 40960 2 nft_flow_offload,nf_flow_table_inet
nf_conntrack_netlink 57344 0
nft_limit 16384 0
nf_log_syslog 24576 0
nft_log 16384 0
nft_nat 16384 0
nft_reject_ipv6 16384 0
nf_reject_ipv6 20480 1 nft_reject_ipv6
nft_reject_ipv4 16384 0
nf_reject_ipv4 16384 1 nft_reject_ipv4
nft_reject 16384 2 nft_reject_ipv6,nft_reject_ipv4
nft_ct 20480 0
nft_masq 16384 0
nft_chain_nat 16384 0
nf_nat 57344 3 nft_nat,nft_masq,nft_chain_nat
nf_conntrack 167936 7 nf_nat,nft_flow_offload,nft_ct,nft_nat,nf_conntrack_netlink,nft_masq,nf_flow_table
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
nf_tables 307200 11 nft_reject_ipv6,nft_reject_ipv4,nft_flow_offload,nft_ct,nft_log,nft_nat,nft_masq,nft_chain_nat,nft_limit,nf_flow_table_inet,nft_reject
nfnetlink 20480 2 nf_conntrack_netlink,nf_tables
next prev parent reply other threads:[~2024-04-11 16:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-10 17:23 connlimit from wiki.nftables.org not working William N.
2024-04-10 21:40 ` Kerin Millar
2024-04-11 16:54 ` William N. [this message]
2024-04-11 20:04 ` Kerin Millar
2024-04-12 11:38 ` William N.
2024-04-12 15:48 ` Kerin Millar
2024-04-12 16:36 ` William N.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240411165412.0f0c65ce@localhost \
--to=netfilter@riseup.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.