On 2022-09-07 11:25, Pablo Neira Ayuso wrote:
On Wed, Sep 07, 2022 at 11:22:24AM -0400, Tom wrote:
table ip6 filter {
set ping6 {
typeof ip6 daddr . meta l4proto
limit rate 5/second
elements = { xxxx:43:a:83::2 . ipv6-icmp limit rate 5/second,
xxxx:43:a:83::3 . ipv6-icmp limit rate 5/second,
xxxx:43:a:83::4 . ipv6-icmp limit rate 5/second }
}
chain input {
type filter hook input priority filter; policy drop;
ip6 daddr . meta l4proto @ping6 accept
}
Is this OK?
My recommendation is to use concatenations and sets, not to ratelimit
_all_ icmpv6 traffic ;-)
Now I'm confused. I'd like to avoid ping floods if possible, but I can't seem to get the syntax right, so:
table ip6 filter {
set ping6 {
typeof ip6 daddr . meta l4proto
elements = { xxxx:43:a:83::2 . ipv6-icmp,
xxxx:43:a:83::3 . ipv6-icmp,
xxxx:43:a:83::4 . ipv6-icmp }
}
chain input {
type filter hook input priority filter; policy drop;
ip6 daddr . meta l4proto @ping6 accept
}
}
... will work for now. If anyone can show me the correct syntax to enable ping6 rate limiting without crippling icmpv6, please do!
