On Tue, Apr 30, 2019 at 11:36:18PM +0200, Mikhail Morfikov wrote:
> On 30/04/2019 22:54, Pablo Neira Ayuso wrote:
> > Looks like a bug, the action "counter drop" seems to be ignore.
> >
> > Does this counter bump once the set is full?
> >
> > I'm refering to this rule:
> >
> > add rule netdev traffic-control chain-icmp add @meter-icmp { ip saddr limit rate over 10/minute burst 1 packets } counter drop
> >
> Yes, it counts packets when the set is full:
>
> set meter-icmp {
> type ipv4_addr
> size 1
> flags dynamic,timeout
> timeout 1m
> elements = { 192.168.1.1 expires 54s791ms limit rate over 10/minute burst 1 packets }
> }
>
> chain chain-icmp {
> add @meter-icmp { ip saddr limit rate over 10/minute burst 1 packets } counter packets 24 bytes 2016 drop
> counter packets 43 bytes 3612 accept
> }
Probably this policy then?
set meter-icmp {
type ipv4_addr
size 1
flags dynamic,timeout
timeout 1m
}
chain chain-icmp {
add @meter-icmp { ip saddr limit rate 10/minute burst 1 packets } counter accept
counter drop
}
If limit is under 10/minute, then traffic is accepted.
Otherwise, drop (including if set is full).
Is this what you want to achieve?
