On Wed, Jul 6, 2022 at 10:59 AM Frank Myhr <fmyhr@xxxxxxxxxxx> wrote: > Hi Nuno, > > The icmp and icmpv6 rules you refer to are in regular chains, both > called by base chain "inbound" that has policy drop and no other icmp / > icmp6 rules. Therefore there is no need for the additional "drop" rules > that you suggest; packets arriving faster than the limit rates will be > dropped by the calling base chain's default policy. > > Best regards, > Frank I think ct (conntrack) will track it after the first accept and so the rate limit becomes ignored. This is what happens in reality. My understanding is that it's a bug in this configuration. If the configuration is correct then it would be bug (I'm on 5.18.9). Can you give me a hint why you think ct wouldn't accept it forever after the first accept? Thanks!
