On 2022-09-08 04:46, Reindl Harald wrote:
Am 07.09.22 um 17:57 schrieb Tom:
Now I'm confused. I'd like to avoid ping floods if possible
but that makes no sense when doing more harm than good - the knee-jerk reaction kill all icmp is a problem for decades even on IPv4 but will no longer work with IPv6
Who said I wanted to kill all ICMP? Isn't it obvious that I'm trying to write a rule that allows it?
but I can't seem to get the syntax right, so:
enable ping6 rate limiting without crippling icmpv6, please do!
one of the responses contained "Please use 'icmpv6 type { echo-request, echo-reply}'"
Yes I saw that. As I pointed out, I can't get the syntax right which specifies type in a set and also limits rates. That's why I dropped rate limits.
why do you make all that so complicated instead write a simple ratelimit rule for ping apply to everyone and *before* have a set which ACCEPTs a specific list of ip's if that's needed at all
OK, sounds good. Perhaps you're under the mistaken impression I'm a NFT expert. Clearly I'm not. Perhaps you could suggest a resource where I might find examples which solve my problem. Better yet, you could provide a practical example. It would be appreciated.
"I'd like to avoid ping floods if possible" don't scale at all with a manually maintained list of source ips and i can't think of anybody with a justification of more than 5 pings per second
Except they're not source IPs, They are destination IPs. The server has multiple IP addresses. I am not limiting which IPs can ping, I'm limiting which of the server IPs they can ping to.