On Mon, Sep 28, 2020 at 11:02:00AM +0000, ѽ҉ᶬḳ℠ wrote:
[...]
> It seems that updating a set and dropping the packet in the same rules does
> not work either, e.g.
>
> ip protocol tcp update @glv4 { ip saddr limit rate over 50/second burst 15
> packets } log prefix "foo " drop
>
> would seem to only update the named set but is neither logging nor dropping
> the frame.
This example is working fine here:
table ip x {
set glv4 {
typeof ip saddr
size 65535
flags dynamic,timeout
timeout 15m
}
chain y {
type filter hook output priority filter; policy accept;
ip protocol tcp update @glv4 { ip daddr limit rate over 1/minute burst 2 packets } log prefix "foo " drop
}
}
hping3 -S x.x.x.x -p 80 -c 1
HPING x.x.x.x (enp0s25 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=53 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=31.8 ms
--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 31.8/31.8/31.8 ms
hping3 -S x.x.x.x -p 80 -c 1
HPING x.x.x.x (enp0s25 x.x.x.x): S set, 40 headers + 0 data bytes
[send_ip] sendto: Operation not permitted
[137712.162113] foo IN= OUT=enp0s25 SRC=10.141.1.219 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=57787 PROTO=TCP SPT=2904 DPT=80 WINDOW=512 RES=0x00 SYN URGP=0
