On 30/04/2019 22:54, Pablo Neira Ayuso wrote:
> Looks like a bug, the action "counter drop" seems to be ignore.
>
> Does this counter bump once the set is full?
>
> I'm refering to this rule:
>
> add rule netdev traffic-control chain-icmp add @meter-icmp { ip saddr limit rate over 10/minute burst 1 packets } counter drop
>
Yes, it counts packets when the set is full:
set meter-icmp {
type ipv4_addr
size 1
flags dynamic,timeout
timeout 1m
elements = { 192.168.1.1 expires 54s791ms limit rate over 10/minute burst 1 packets }
}
chain chain-icmp {
add @meter-icmp { ip saddr limit rate over 10/minute burst 1 packets } counter packets 24 bytes 2016 drop
counter packets 43 bytes 3612 accept
}
The counter goes up in the rate of 1/s.
From the first pinging host I get:
# ping 192.168.1.150
PING 192.168.1.150 (192.168.1.150): 56 data bytes
64 bytes from 192.168.1.150: seq=0 ttl=64 time=0.521 ms
64 bytes from 192.168.1.150: seq=6 ttl=64 time=0.432 ms
64 bytes from 192.168.1.150: seq=12 ttl=64 time=0.452 ms
64 bytes from 192.168.1.150: seq=18 ttl=64 time=0.394 ms
64 bytes from 192.168.1.150: seq=24 ttl=64 time=0.420 ms
And from the other (at the same time) I get all the pings
and they all hit the second rule.
Attachment:
signature.asc
Description: OpenPGP digital signature
