Alexander Dahl <ada@xxxxxxxxxxx> wrote:
> I'm building some nftables based packet filters and try to achieve the
> following, but could not succeed yet:
>
> * all packets to broadcast IPv4 addresses (at least to 255.255.255.255) should
> be rate limited, regardless of transport layer protocol
> * after that, packets to allowed UDP ports should be accepted
>
> * all this should happen very early, best would be already in netdev table,
> ingress hook (because of cpu and memory constraints on embedded platform)
>
> What I could achieve so far:
>
> * rate limit packets to IP 255.255.255.255 and accept those, but packets do
> not hit rules after that anymore :-(
>
> * only accept packets to allowed UDP ports, but without rate limiting :-/
Could you elaborate what you did?
table netdev ingress {
chain in_public {
type filter hook ingress device eth0 priority 0; policy accept;
pkttype broadcast limit rate over 10/second drop
udp dport 12345 accept
}
Works fine for me.
> I thought I could use more than one base chain with different prioritys, but
> after reading [1] I'm not sure this would work. The packets dropped on the
> lower priority chain, would hit the higher priority chain again, wouldn't it?
No. Drop is instant, no further evaluation is done.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
