I am experimenting with a multi-level rate limiting approach via a
dynamic set, to achieve some fine-graining
set b_sa6 {
type ipv6_addr
size 65535
flags dynamic, timeout
timeout 14d
gc-interval 5s
}
for better reading: icmpv6 type 128 = echo-request
these are the rules being in play at the same time:
icmpv6 type 128 update @b_sa6 { ip6 saddr timeout 168h limit rate over
500/day } drop;
icmpv6 type 128 update @b_sa6 { ip6 saddr timeout 24h limit rate over
150/hour } drop;
icmpv6 type 128 update @b_sa6 { ip6 saddr timeout 2h limit rate over
50/minute } drop;
icmpv6 type 128 update @b_sa6 { ip6 saddr timeout 10m limit rate over
15/second burst 2 packets} drop;
With only any one rule in play the rate limiting works as expected but
as soon as two or more are in play packets are being dropped well below
the specified limit.
Is it somehow possible to get this sort of fine-tuning done?
