I tried to limit ping flooding by setting the following rule:
nft add rule filter input icmp type echo-request limit rate 10/second accept
But it doesn't work, I can still ping flood the target.
What I see is that nft_limit_pkts_eval() is called only once at the
begining of the flood.
After, during do_nft_chain(), regs.verdict.code is changed from -1 to 1
by a call to nft_immediate_eval() earlier in the loop.
How can I investigate that issue ?
Using linux kernel 4.4.21
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html