Hi Jo, On Mon, May 22, 2017 at 9:17 AM, Jo-Philipp Wich <j...@mein.io> wrote: > wouldn't it be simpler to introduce hashlimit support for ordinary rules > instead? > > Is there a particular reason for a separate chain and a separate section > type?
The goal is to protect against a denial of service. The device I'm working with can handle a limited number of packets per second when hardware acceleration forwarding is not used and flooding it with packets can cut off access to device services running on top of IP host (e.g. dropbear). You can't do it in ordinary rules because their parameters have impact only on the initial packet of the conntrack as they're added after "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" rule. _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
