On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
> Hi
> 
> I tried to limit ping flooding by setting the following rule:
> 
> nft add rule filter input icmp type echo-request limit rate 10/second accept

This is matching packets under the rate, so packets under the rate are
accepted.

Your next rule, or default policy, should drop, so packets over the
rate are dropped.

You can invert this logic via:

 # nft add rule filter input icmp type echo-request limit rate over 10/second 
drop

Does this work for you?

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to