On 2022-09-07 10:58, Florian Westphal wrote:
Tom <tom@xxxxxxxxxxx> wrote:
nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept
This is not related to ping, this ratelimits ALL of icmpv6.
Please use 'icmpv6 type { echo-request, echo-reply}'.
icmpv6 is integral part of ipv6, the above will ratelimit neighbour
solicitations, pmtu updates and so on as well.
Ooh, that's not good. What about this, recommended by Pablo:
table ip6 filter {
set ping6 {
typeof ip6 daddr . meta l4proto
limit rate 5/second
elements = { xxxx:43:a:83::2 . ipv6-icmp limit rate 5/second,
xxxx:43:a:83::3 . ipv6-icmp limit rate 5/second,
xxxx:43:a:83::4 . ipv6-icmp limit rate 5/second }
}
chain input {
type filter hook input priority filter; policy drop;
ip6 daddr . meta l4proto @ping6 accept
}
Is this OK?