I created the following rules (I just broke the line for readability):
add rule inet filter INPUT meta nfproto { ipv4, ipv6} \
log prefix "* INPUT * " limit rate 1/minute burst 1 packets \
counter reject with icmpx type port-unreachable comment "Reject all connections"
add rule inet filter INPUT counter drop
What I wanted to achieve was to log packets, which don't fit in
the previous rules. But I don't really want netfilter to spam my
syslog with its messages. So the first rule should rate limit the
messages, and the other rule should silently drop the packets
that go over the limits (can this be done in just one rule?).
But the rules don't really work as expected.
# nft list chain inet filter INPUT
table inet filter {
chain INPUT {
...
meta nfproto { ipv4, ipv6 } log prefix "* INPUT * " limit rate 1/minute burst 1 packets counter packets 1 bytes 84 reject comment "Reject all connections"
counter packets 31 bytes 2604 drop
}
}
According to the output above, only 1 packets hits the first rule
and the rest goes to the second rule and should be silently dropped.
But syslog received 32 messages in the rate of 2 per second.
Is that a bug or something is wrong with the rules and I should do
the task in some other way?
Attachment:
signature.asc
Description: OpenPGP digital signature
