How to reset iptables rate limit counter?

iptables

I implemented SSH connection rate limiting using the following.

iptables -N SSH_BRUTE_FORCE_MITIGATION
iptables -A SSH_BRUTE_FORCE_MITIGATION -m recent --name SSH --set
iptables -A SSH_BRUTE_FORCE_MITIGATION -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[ssh-brute-force]: "
iptables -A SSH_BRUTE_FORCE_MITIGATION -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
iptables -A SSH_BRUTE_FORCE_MITIGATION -j ACCEPT

How can I reset rate limit counter?

Edit: tried sudo iptables -Z, but following error is thrown.

$ sudo iptables -Z
[sudo] password for pi:
iptables v1.8.2 (nf_tables):  RULE_REPLACE failed (Invalid argument): rule in chain INPUT

To reset the -m recent --name SSH data:

echo / | sudo tee /proc/net/xt_recent/SSH

From man 8 iptables-extensions, section "recent":

/proc/net/xt_recent/* are the current lists of addresses
 and information about each entry of each list.

Each file in /proc/net/xt_recent/ can be read from to see
 the current list or written two using the following commands to modify the list:

echo +addr >/proc/net/xt_recent/DEFAULT
    to add addr to the DEFAULT list 
echo -addr >/proc/net/xt_recent/DEFAULT
    to remove addr from the DEFAULT list 
echo / >/proc/net/xt_recent/DEFAULT
    to flush the DEFAULT list (remove all entries).

This is not the same as the per-rule packet/byte counters which can be cleared with iptables -Z.
This is also not the same as the -m limit (which you are using for rate-limiting the logging) or -m hashlimit counters. Those do not offer such proc interface. Possible workarounds:

  1. unloading the module xt_recent/xt_limit/xt_hashlimit will discard the respective associated data
    • only possible while no rules are currently using it
    • needs to be built as a module - unloading builtins is not supported
  2. changing the rules to use a different --name/--hashlimit-name (appending a number will do)
    • not an atomic transaction
    • depending on order of replacement, can momentarily mean in unexpected behaviour

Related

Apache reverse proxy not passing custom headers to the target server
PowerDNS Split Horizon Resolver
Plain-text login with sendmail and SASL, Ubuntu 10.04
How to install dotnetfx35.exe
How to list the Project properties in openstack
IIS: Can connect to website via http but not https
Docker daemon ignores daemon.json on boot
Is there a command to renew dhcp lease for ipmi?
PPTP Passthrough Centos 7/Firewalld router to Windows Server
GKE fails to mount volumes to deployments/pods: timed out waiting for the condition
How to find out which version of OpenStack is running on a server?
Slow backup of data from file servers with System Center Data Protection Manager 2019