nft: migrate man page examples with `meter` directive to sets

this updates the two examples in the man page that use the obsolete `meter` to
use sets. I also fixed a bit of formatting for the conntrack expressions.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index e6f108b1db523f66b16967a22f6351f8b93a44d3..93d4d22f59f52f2b8059db2f6a7e7f63c599320a 100644 (file)
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -642,6 +642,8 @@ zone id is tied to the given direction. +
 *ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
 *ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
 
+The conntrack-specific types in this table are described in the sub-section CONNTRACK TYPES above.
+
 .Conntrack expressions
 [options="header"]
 |==================
@@ -698,15 +700,15 @@ integer (64 bit)
 conntrack zone |
 integer (16 bit)
 |count|
-count number of connections
+number of current connections|
 integer (32 bit)
 |id|
-Connection id
-ct_id
+Connection id|
+ct_id|
 |==========================================
-A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
 
 .restrict the number of parallel connections to a server
 --------------------
-filter input tcp dport 22 meter test { ip saddr ct count over 2 } reject
+nft add set filter ssh_flood '{ type ipv4_addr; flags dynamic; }'
+nft add rule filter input tcp dport 22 add @ssh_flood '{ ip saddr ct count over 2 }' reject
 --------------------

diff --git a/doc/statements.txt b/doc/statements.txt
index 9155f2862ccd44e7be46b875ca0121bd4148d7d5..beebba1611a84381742e322501b1f19b8d6d9db5 100644 (file)
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -704,8 +704,17 @@ blacklists.
 
 .Example for simple blacklist
 -----------------------------
-# declare a set, bound to table "filter", in family "ip". Timeout and size are mandatory because we will add elements from packet path.
-nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; size 65536; }"
+# declare a set, bound to table "filter", in family "ip".
+# Timeout and size are mandatory because we will add elements from packet path.
+# Entries will timeout after one minute, after which they might be
+# re-added if limit condition persists.
+nft add set ip filter blackhole \
+    "{ type ipv4_addr; flags dynamic; timeout 1m; size 65536; }"
+
+# declare a set to store the limit per saddr.
+# This must be separate from blackhole since the timeout is different
+nft add set ip filter flood \
+    "{ type ipv4_addr; flags dynamic; timeout 10s; size 128000; }"
 
 # whitelist internal interface.
 nft add rule ip filter input meta iifname "internal" accept
@@ -713,17 +722,17 @@ nft add rule ip filter input meta iifname "internal" accept
 # drop packets coming from blacklisted ip addresses.
 nft add rule ip filter input ip saddr @blackhole counter drop
 
-# add source ip addresses to the blacklist if more than 10 tcp connection requests occurred per second and ip address.
-# entries will timeout after one minute, after which they might be re-added if limit condition persists.
-nft add rule ip filter input tcp flags syn tcp dport ssh meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop
+# add source ip addresses to the blacklist if more than 10 tcp connection
+# requests occurred per second and ip address.
+nft add rule ip filter input tcp flags syn tcp dport ssh \
+    add @flood { ip saddr limit rate over 10/second } \
+    add @blackhole { ip saddr } drop
 
-# inspect state of the rate limit meter:
-nft list meter ip filter flood
-
-# inspect content of blackhole:
+# inspect state of the sets.
+nft list set ip filter flood
 nft list set ip filter blackhole
 
-# manually add two addresses to the set:
+# manually add two addresses to the blackhole.
 nft add element filter blackhole { 10.2.3.4, 10.23.1.42 }
 -----------------------------------------------