Re: [nftables] netdev rate limiting | timeouts rfq

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 28/09/2020 13:52, Pablo Neira Ayuso wrote:

On Mon, Sep 28, 2020 at 11:02:00AM +0000, ѽ҉ᶬḳ℠ wrote:
[...]

It seems that updating a set and dropping the packet in the same rules does
not work either, e.g.

ip protocol tcp update @glv4 { ip saddr limit rate over 50/second burst 15
packets } log prefix "foo " drop

would seem to only update the named set but is neither logging nor dropping
the frame.

This example is working fine here:

table ip x {
         set glv4 {
                 typeof ip saddr
                 size 65535
                 flags dynamic,timeout
                 timeout 15m
         }

         chain y {
                 type filter hook output priority filter; policy accept;
                 ip protocol tcp update @glv4 { ip daddr limit rate over 1/minute burst 2 packets } log prefix "foo " drop
         }
}

hping3 -S x.x.x.x -p 80 -c 1
HPING x.x.x.x (enp0s25 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=x.x.x.x ttl=53 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=31.8 ms

--- x.x.x.x hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 31.8/31.8/31.8 ms

hping3 -S x.x.x.x -p 80 -c 1
HPING x.x.x.x (enp0s25 x.x.x.x): S set, 40 headers + 0 data bytes
[send_ip] sendto: Operation not permitted

[137712.162113] foo IN= OUT=enp0s25 SRC=10.141.1.219 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=57787 PROTO=TCP SPT=2904 DPT=80 WINDOW=512 RES=0x00 SYN URGP=0
In the below example it does not print any logs and since that stanza is right prior drop I reckon that since the log printing does not happen the frame dropping does neither. 

table inet filter {
        set n_wan {
                type ifname
                flags constant
                elements = { "eth2", "pppoe-wan" }
        }
        set glv4 {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 7d
                gc-interval 10s
        }
        flowtable fte {
                hook ingress priority -100
                devices = { eth2 }
                counter
        }
        flowtable ftw {
                hook ingress priority -100
                devices = { pppoe-wan }
                counter
        }
        chain forward {
                type filter hook forward priority filter; policy drop;
                icmpv6 type echo-request accept
                ct state established,related accept
                iifname != @n_wan accept
                tcp flags syn tcp option maxseg size set rt mtu
                ip protocol { tcp, udp } flow add @fte
                ip6 nexthdr { tcp, udp } flow add @fte
                ip protocol { tcp, udp } flow add @ftw
                ip6 nexthdr { tcp, udp } flow add @ftw
        }
        chain prerouting {
                type filter hook prerouting priority mangle; policy accept;
                iifname @n_wan goto wan_pr
        }
        chain wan_pr {
                ct state { new } update @glv4 { ip saddr limit rate over 15/day burst 3 packets } log prefix "glv4 DROP: " flags all drop 
        }
}
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux