Hello, I'm building some nftables based packet filters and try to achieve the following, but could not succeed yet: * all packets to broadcast IPv4 addresses (at least to 255.255.255.255) should be rate limited, regardless of transport layer protocol * after that, packets to allowed UDP ports should be accepted * all this should happen very early, best would be already in netdev table, ingress hook (because of cpu and memory constraints on embedded platform) What I could achieve so far: * rate limit packets to IP 255.255.255.255 and accept those, but packets do not hit rules after that anymore :-( * only accept packets to allowed UDP ports, but without rate limiting :-/ I tried jump on non base chains, but the results are the same as if I would just add all the rules to one chain. I thought I could use more than one base chain with different prioritys, but after reading [1] I'm not sure this would work. The packets dropped on the lower priority chain, would hit the higher priority chain again, wouldn't it? Greets Alex [1] https://wiki.nftables.org/wiki-nftables/index.php/ Configuring_chains#Base_chain_priority -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
