Le 20/09/2016 à 10:13, Pablo Neira Ayuso a écrit :
On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
Hi

I tried to limit ping flooding by setting the following rule:

nft add rule filter input icmp type echo-request limit rate 10/second accept

This is matching packets under the rate, so packets under the rate are
accepted.

Your next rule, or default policy, should drop, so packets over the
rate are dropped.

You can invert this logic via:

 # nft add rule filter input icmp type echo-request limit rate over 10/second 
drop


That didn't work either, but in fact I found the issue: I have a rule 'ct state established, related accept' earlier in the ruleset, so only the first ping packet reached the rate limitation rule.

Putting the rate limitation rules before that ct state rule, it works as expected.

Thanks for your help

Christophe
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to