Hello
These are my Test-Rules how to understand "meter"... in a local
simulation against synflag-flooding. Regular Traffic will be
accepted, an unregular amount of packets will be dropped.
As you can see, for all unregular Packets (forced by me)
the SADDR is temporarly stored in the table "synflg-meter".
How can I use those entries to block the IP completely
until the timer is off. Is that even possible?
table ip tfilter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related accept
tcp flags syn limit rate 1/second burst 3 packets accept
tcp flags syn meter synflg-meter size 0 { ip saddr timeout 15s limit rate over 1/second } reject with tcp reset
}
}
table ip tfilter {
meter synflg-meter {
type ipv4_addr
flags timeout
elements = { 10.10.1.49 expires 9s660ms : limit rate over 1/second }
}
}
Thank you and best regards
Tom
