I tried to limit ping flooding by setting the following rule:

nft add rule filter input icmp type echo-request limit rate 10/second accept

But it doesn't work, I can still ping flood the target.
What I see is that nft_limit_pkts_eval() is called only once at the begining of the flood. After, during do_nft_chain(), regs.verdict.code is changed from -1 to 1 by a call to nft_immediate_eval() earlier in the loop.

How can I investigate that issue ?

Using linux kernel 4.4.21


To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to