Question about log rate limiting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I created the following rules (I just broke the line for readability):

add rule inet filter INPUT meta nfproto { ipv4, ipv6} \
    log prefix "* INPUT * " limit rate 1/minute burst 1 packets \
    counter reject with icmpx type port-unreachable comment "Reject all connections"
add rule inet filter INPUT counter drop

What I wanted to achieve was to log packets, which don't fit in 
the previous rules. But I don't really want netfilter to spam my
syslog with its messages. So the first rule should rate limit the 
messages, and the other rule should silently drop the packets
that go over the limits (can this be done in just one rule?). 

But the rules don't really work as expected.

# nft list chain inet filter INPUT

table inet filter {
  chain INPUT {
    ...
    meta nfproto { ipv4, ipv6 } log prefix "* INPUT * " limit rate 1/minute burst 1 packets counter packets 1 bytes 84 reject comment "Reject all connections"
    counter packets 31 bytes 2604 drop
  }
}

According to the output above, only 1 packets hits the first rule 
and the rest goes to the second rule and should be silently dropped.
But syslog received 32 messages in the rate of 2 per second. 

Is that a bug or something is wrong with the rules and I should do
the task in some other way? 

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux