I have been attempting to use nft/nftables to blacklist ssh connections and have come across two problems.

nftables-0.9.3-3.fc32.x86_64 kernel-5.7.8-200.fc32.x86_64

1. The "limit rate" syntax does not work correctly unless the "burst" value is set. counter add @saddr_rate { ip saddr timeout 2m limit rate over 4/minute burst 1 packets} counter \ update @saddr_blacklist { ip saddr timeout 10m } counter drop

2. The following syntax is not accepted by nft update @connection_count { ip saddr ct count over 3 } \ add @saddr_blacklist { ip saddr timeout 1m } drop nft_harting.nft:80:3-52: Error: Could not process rule: Operation not supported update @connection_count { ip saddr ct count over 3 } \ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I have been following a Debian mail list (amongst many) https://unix.stackexchange.com/questions/581964/create-dynamic-blacklist-wit... which implies that both of the above should work with the kernel/nft F32 versions installed.

I attach the output of nft list ruleset (with the offending rule "{ ip saddr ct count over 3 }" commented out) (It includes the "set" definitions used above)

Can anyone see any deliberate mistakes?

John