On Fri, Apr 27, 2018 at 04:11:53PM +0800, Rosysong wrote:
> On Fri, Apr 27, 2018 at 03:51:05PM +0800, Rosysong wrote:
> [...]
> > # create a table named filter
> > nft add table filter
> >
> > # add chain for input(download) and output(upload) hook
> > nft add chain filter input { type filter hook input priority 0\;}
> > nft add chain filter output { type filter hook output priority 0\;}
> >
> > nft add rule filter input ip daddr 192.168.0.104 limit rate 512bytes/second accept
> > nft add rule filter output ip saddr 192.168.0.104 limit rate 512bytes/second accept
I think this is what you want:
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
ip daddr 192.168.2.195 limit rate over 512 bytes/second drop
}
chain output {
type filter hook output priority 0; policy accept;
ip saddr 192.168.0.195 limit rate over 512 bytes/second drop
}
}
The "limit rate over" will match packets over the 512 bytes/second rate.
Hence, those packets will be dropped.
Or either you express this like:
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
ip daddr 192.168.2.195 limit rate 512 bytes/second accept
counter drop
}
chain output {
type filter hook output priority 0; policy accept;
ip saddr 192.168.0.195 limit rate 512 bytes/second accept
counter drop
}
}
So packets under the 512 bytes/second rate will be accepted, packets
over the rate will be dropped.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
