-
Bug
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
Moderate
-
rhel-net-firewall
-
ssg_networking
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
-
Unspecified
-
Unspecified
-
None
Description of problem:
Adding the following rule:
- nft add rule inet firewalld filter_IN_public_log ip saddr 192.168.1.131/24 tcp dport 22 ct state
{ new, untracked }
log prefix "IN_BOUND_XXXX " level info limit rate 2/day
Does not rate limit. It prints a message for each connection attempt from 192.168.1.131.
[ 7223.110316] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37226 DF PROTO=TCP SPT=57824 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7223.110326] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37226 DF PROTO=TCP SPT=57824 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7223.110330] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37226 DF PROTO=TCP SPT=57824 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7304.356952] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63891 DF PROTO=TCP SPT=60686 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7304.356963] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63891 DF PROTO=TCP SPT=60686 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7304.356967] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63891 DF PROTO=TCP SPT=60686 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7310.735974] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15199 DF PROTO=TCP SPT=60702 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7310.735986] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15199 DF PROTO=TCP SPT=60702 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
[ 7310.735990] IN_BOUND_XXXXIN=br0 OUT= MAC=54:e1:ad:17:63:ff:04:7b:cb:5d:d3:b7:08:00 SRC=192.168.1.131 DST=192.168.1.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15199 DF PROTO=TCP SPT=60702 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Version-Release number of selected component (if applicable):
RHEL8 releases
4.18.0-372.9.1.el8.x86_64
nftables-0.9.3-25.el8.x86_64
libnftnl-1.1.5-5.el8.x86_64
How reproducible:
Always as above.
Actual results:
No rate limit nftables log messages
Expected results:
Rate limit nftables log messages
- external trackers
