[{"id":3675364,"web_url":"http://patchwork.ozlabs.org/comment/3675364/","msgid":"","list_archive_url":null,"date":"2026-04-09T15:12:30","subject":"Re: [PATCH nft] doc: ct count should be restricted via new","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Thu, Apr 09, 2026 at 01:57:53PM +0200, Florian Westphal wrote:\n> Not doing it will affect existing flows, which is likely not wanted.\n> \n> Signed-off-by: Florian Westphal \n\nReviewed-by: Pablo Neira Ayuso \n\n> ---\n> doc/payload-expression.txt | 2 +-\n> 1 file changed, 1 insertion(+), 1 deletion(-)\n> \n> diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt\n> index 8b538968c84b..817b7a3c76b1 100644\n> --- a/doc/payload-expression.txt\n> +++ b/doc/payload-expression.txt\n> @@ -934,5 +934,5 @@ ct_id|\n> .restrict the number of parallel connections to a server\n> --------------------\n> nft add set filter ssh_flood '{ type ipv4_addr; flags dynamic; }'\n> -nft add rule filter input tcp dport 22 add @ssh_flood '{ ip saddr ct count over 2 }' reject\n> +nft add rule filter input ct state new tcp dport 22 add @ssh_flood '{ ip saddr ct count over 2 }' reject\n> --------------------\n> -- \n> 2.52.0\n> \n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=gd4PyB2d;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11775-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"gd4PyB2d\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fs3NZ0nCqz1yD3\n\tfor ; Fri, 10 Apr 2026 01:13:34 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id DD235301F261\n\tfor ; Thu, 9 Apr 2026 15:12:40 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0BF4B3DBD64;\n\tThu, 9 Apr 2026 15:12:39 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 10F593DD524\n\tfor ; Thu, 9 Apr 2026 15:12:35 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 5B75F60178;\n\tThu, 9 Apr 2026 17:12:33 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775747558; cv=none;\n b=pvSumObCCrUG6qmwqEXZkr0U1vLpkwiK2o9G37nlze39O9wiUMmYH2Jbb8Xm/eS9rHOrM92/V+bLDK8Q6r6lNUvhuwSf8ByBIHc8YMKL1fjyvF43VRP5IoA4U6nWPHcjTPWnrKcIB8rMpXH/FrbrB02jpRhBHjyUv4wJyy9kbzU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775747558; c=relaxed/simple;\n\tbh=J7GoitVHIjtYXm7nb37BNfDX0gi/NO1WvmzZwVMuYwU=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=GmFjalQ5ltQ2OVHIGn5dyU5ZBIymd4TO9+x4+LbfFI0bNnN2dzbfB+MSOlBnFJqrbwdH7WKeCucV3xcmq2V32gz+dD06DZ7gYDbBSiHem7KqOUaTpqTruI7biJTxqEr25jA1+6p33d3YF6lf6NtlihIdiysyDFvo86401YNw3+U=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=gd4PyB2d; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1775747553;\n\tbh=A2dwcWRD9Q2UykttaY/JcJRxY+P6KtVH+jisG9N4uOk=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=gd4PyB2dtbiVAnSgffpeOpsemaBfbpgsANB117Oxx6roUBT950eWToBMsOZ3Nt6fP\n\t wA/tE9nIEXa/Ttvi/rwPiarqv0ZwJuaG2hjwGsW7f0P6mUK1d46lj/73Upq+KgVZuL\n\t qdusGlcup5Ea/OYk+UljAkQCfg2hbkpjCGKxa/QuCj+Hs7ptpc4mWEyaffb5PEt3tJ\n\t gzCoVz2Pr7tP7UXY7TEiBGX4cLrjubO0gbhIjflEi477Z5Dra743Se5bXFrHmyFkGm\n\t fBUxgNrDvcRiFZQCMowZaB2GnHs/2Pjd+F/EzegIG7HqafkM67e619YN/IFnGiG+5X\n\t eknCp8YXnBmRw==","Date":"Thu, 9 Apr 2026 17:12:30 +0200","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nft] doc: ct count should be restricted via new","Message-ID":"","References":"<20260409115756.27931-1-fw@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260409115756.27931-1-fw@strlen.de>"}}]