On Wed, Sep 07, 2022 at 11:22:24AM -0400, Tom wrote:
> On 2022-09-07 10:58, Florian Westphal wrote:
> > Tom <tom@xxxxxxxxxxx> wrote:
> > > nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept
> > This is not related to ping, this ratelimits ALL of icmpv6.
> > Please use 'icmpv6 type { echo-request, echo-reply}'.
> > icmpv6 is integral part of ipv6, the above will ratelimit neighbour
> > solicitations, pmtu updates and so on as well.
>
> Ooh, that's not good. What about this, recommended by Pablo:
>
> table ip6 filter {
> set ping6 {
> typeof ip6 daddr . meta l4proto
> limit rate 5/second
> elements = { xxxx:43:a:83::2 . ipv6-icmp limit rate 5/second,
> xxxx:43:a:83::3 . ipv6-icmp limit rate 5/second,
> xxxx:43:a:83::4 . ipv6-icmp limit rate 5/second }
> }
> chain input {
> type filter hook input priority filter; policy drop;
> ip6 daddr . meta l4proto @ping6 accept
> }
>
> Is this OK?
My recommendation is to use concatenations and sets, not to ratelimit
_all_ icmpv6 traffic ;-)
