On 2022/07/06 06:09, Nuno Gonçalves wrote:
On Wed, Jul 6, 2022 at 10:59 AM Frank Myhr <fmyhr@xxxxxxxxxxx> wrote:
Hi Nuno,
The icmp and icmpv6 rules you refer to are in regular chains, both
called by base chain "inbound" that has policy drop and no other icmp /
icmp6 rules. Therefore there is no need for the additional "drop" rules
that you suggest; packets arriving faster than the limit rates will be
dropped by the calling base chain's default policy.
Best regards,
Frank
I think ct (conntrack) will track it after the first accept and so the
rate limit becomes ignored.
This is what happens in reality. My understanding is that it's a bug
in this configuration. If the configuration is correct then it would
be bug (I'm on 5.18.9).
To be clear: you're testing this example ruleset and seeing unlimited
echo requests being allowed in despite the limit rule?
Can you give me a hint why you think ct wouldn't accept it forever
after the first accept?
I'm going to have to defer to others with in-depth knowledge of ct. I
suspect that if all of your echo requests come from the same source ip
address, *maybe* the limit is ineffective as you suggest. I'd be very
surprised if echo requests from multiple ip addresses are also immune to
the limit.
Best regards,
Frank