Le 20/09/2016 à 10:13, Pablo Neira Ayuso a écrit :
On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
Hi
I tried to limit ping flooding by setting the following rule:
nft add rule filter input icmp type echo-request limit rate 10/second accept
This is matching packets under the rate, so packets under the rate are
accepted.
Your next rule, or default policy, should drop, so packets over the
rate are dropped.
You can invert this logic via:
# nft add rule filter input icmp type echo-request limit rate over 10/second drop
That didn't work either, but in fact I found the issue: I have a rule
'ct state established, related accept' earlier in the ruleset, so only
the first ping packet reached the rate limitation rule.
Putting the rate limitation rules before that ct state rule, it works as
expected.
Thanks for your help
Christophe
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
