Re: nftables: first rate limit on IP, then filter on port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Florian,

Am Freitag, 6. April 2018, 13:28:59 CEST schrieb Florian Westphal:
> table netdev ingress {
>  chain in_public {
> 	type filter hook ingress device eth0 priority 0; policy accept;
>         pkttype broadcast limit rate over 10/second drop
>         udp dport 12345 accept
>  }

I am pretty sure I tried 'pkttype' on an ingress hook yesterday and got some 
error. I thought this would only work in later chains. But you are right, it 
works.

However I did not understand this "over" keyword. The examples on rate 
limiting in the wiki [1] all don't use it and also use accept instead of drop, 
there's not a single example with drop. Maybe the documentation on this should 
be improved?

Two examples for understanding:

table netdev filter {
  chain ingress {
    type filter hook ingress device eth0 priority 0; policy drop;
    ether type arp limit rate 10/second accept
  }
}

table netdev filter {
  chain ingress {
    type filter hook ingress device eth0 priority 0; policy accept;
    ether type arp limit rate over 10/second drop
  }
}

I would assume in both cases a maximum of 10 arp packets per second comes 
through, right?

> > I thought I could use more than one base chain with different prioritys,
> > but after reading [1] I'm not sure this would work. The packets dropped
> > on the lower priority chain, would hit the higher priority chain again,
> > wouldn't it?
> No.  Drop is instant, no further evaluation is done.

Good to know. ;-)

What I came up with now, is a very simple ruleset, which should fit my current 
needs however:


% cat projectroot/etc/nftables.conf    
#!/usr/sbin/nft -f

flush ruleset

table netdev filter {
        chain ingress {
                type filter hook ingress device eth0 priority 0; policy 
accept;

                # rate limit all broadcast traffic
                pkttype broadcast limit rate over 10/second drop

                # rate limit ping
                icmp type echo-request limit rate 10/second accept
                icmp type echo-reply limit rate 10/second accept
                ip protocol icmp drop
        }
}


I'll further test this, but it looks promising. Thanks for your support! :-)

Greets
Alex

[1] https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux