Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Description of problem: Adding the following rule: nft add rule inet firewalld filter_IN_public_log ip saddr 192.168.1.131/24 tcp dport 22 ct state { new, untracked } log prefix "IN_BOUND_XXXX " level info limit rate 2/day Does not rate limit. It prints a message for each connection attempt from 192.168.1.131. [ 7223.110316] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37226 DF PROTO=TCP SPT=57824 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7223.110326] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37226 DF PROTO=TCP SPT=57824 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7223.110330] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37226 DF PROTO=TCP SPT=57824 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7304.356952] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63891 DF PROTO=TCP SPT=60686 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7304.356963] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63891 DF PROTO=TCP SPT=60686 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7304.356967] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63891 DF PROTO=TCP SPT=60686 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7310.735974] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15199 DF PROTO=TCP SPT=60702 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7310.735986] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15199 DF PROTO=TCP SPT=60702 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 [ 7310.735990] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15199 DF PROTO=TCP SPT=60702 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 Version-Release number of selected component (if applicable): RHEL8 releases 4.18.0-372.9.1.el8.x86_64 nftables-0.9.3-25.el8.x86_64 libnftnl-1.1.5-5.el8.x86_64 How reproducible: Always as above. Actual results: No rate limit nftables log messages Expected results: Rate limit nftables log messages
Done