Interesting. dst-limit is like connection-limit, but dynamic and limited in time?
yes, plus you can specify what is the differentiator/selector (i.e. which header field of the packets is used to select the bucket/counter).
I will check the rule set as soon as get how jump and return works.
jump should actually be named
call, because if the packet passes through the whole invoked chain (indicated by
jump-target) without matching any rule that would provide a final verdict (
accept or
drop, or
passthrough=no), its processing returns back to the invoking chain. And
action=return just skips the rest of the invoked chain.
This slightly complex construct is only necessary because
dst-limit matches when the packet rate is
below the limit, and you want to note down addresses of packets that
exceed the limit; I didn't know you were interested in the LAN->WAN direction where typically no restrictions exist. So in this special case, you could just accept "new" TCP packets that are below the limit, and add to address list those which get past this
dst-limit rule, in chain
forward itself, rather than "outsourcing" this same sequence of rules to a dedicated chain.