From: Florian Westphal <fw@strlen.de>
Date: Thu, 9 Apr 2026 11:57:53 +0000 (+0200)
Subject: doc: ct count should be restricted via new
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8f9ff0d6c101cb2db204dbe6edcbdf7c6ff674c;p=thirdparty%2Fnftables.git

doc: ct count should be restricted via new

Not doing it will affect existing flows, which is likely not wanted.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 8b538968..817b7a3c 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -934,5 +934,5 @@ ct_id|
 .restrict the number of parallel connections to a server
 --------------------
 nft add set filter ssh_flood '{ type ipv4_addr; flags dynamic; }'
-nft add rule filter input tcp dport 22 add @ssh_flood '{ ip saddr ct count over 2 }' reject
+nft add rule filter input ct state new tcp dport 22 add @ssh_flood '{ ip saddr ct count over 2 }' reject
 --------------------