It is not clear whether the limit statement applies to logging (as in
the given example) or is being interpreted in a wider context, which
actually reads:
update @foo { ip4 saddr timeout 10s limit rate over 14000/second burst
200 packets } log flags all prefix "foo DROP: " limit rate 1/second drop;
From my understanding that should evaluate the 'rate over 14000/second
burst 200 packets' for a period of '10 seconds' and then limit the log
output to '1 line/packet per 1 second'.
But that is not what is happening and more than 1 line/packet per second
gets buffered in the log.
On 25/09/2020 10:48, david@xxxxxxxxx wrote:
Because you use general limit. I use per IP limit. Try iptables translate to nft. Someone explained that it floods log because one IP matches and rest goes to log. Unsure exactly.
I used this article
https://making.pusher.com/per-ip-rate-limiting-with-iptables/
On Sep 25, 2020 10:31, ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
kernel 5.9.0-rc6 armv7l | nft 0.9.6
_____
Trying to limit log entries as a preventive measure for log flooding with
log flags all prefix "foo DROP: " limit rate 1/second
however that does not work, i.e. the specified rate is not observed and
more than 1 line / packet per sec is being printed.
Unless missed it there is nothing in the wiki or man about it, man
(section LIMIT STATEMENT) only stating:
It can be used in combination with the log statement to give limited
logging
but unfortunately no syntax sample.
How to implement log flooding protection?
