I use nftables to do rate limiting:
chain input: {
type filter hook input priority 0; policy accept;
tcp dport http ct state new jump rate-limit
}
chain rate-limit {
meter httplimit4 { ip saddr limit rate 2/second burst 20 packets } counter accept
drop
}
It works, until the list is full. For some reason, once an ip was seen, it stays in the list, even after the rate limiting has "recovered". How can I flush out old entries from the list?
Of course I could run a cron job with
nft flush meter inet filter httplimit4
periodically, but isn't there some way to tell nftables to drop entries from the table when the ip was not seen for some time?
