On Wed, Sep 07, 2022 at 11:57:16AM -0400, Tom wrote:
> On 2022-09-07 11:25, Pablo Neira Ayuso wrote:
> > On Wed, Sep 07, 2022 at 11:22:24AM -0400, Tom wrote:
> > > table ip6 filter {
> > > set ping6 {
> > > typeof ip6 daddr . meta l4proto
> > > limit rate 5/second
> > > elements = { xxxx:43:a:83::2 . ipv6-icmp limit rate 5/second,
> > > xxxx:43:a:83::3 . ipv6-icmp limit rate 5/second,
> > > xxxx:43:a:83::4 . ipv6-icmp limit rate 5/second }
> > > }
> > > chain input {
> > > type filter hook input priority filter; policy drop;
> > > ip6 daddr . meta l4proto @ping6 accept
> > > }
> > >
> > > Is this OK?
> >
> > My recommendation is to use concatenations and sets, not to ratelimit
> > _all_ icmpv6 traffic ;-)
>
> Now I'm confused. I'd like to avoid ping floods if possible, but I can't seem to get the syntax right, so:
> table ip6 filter {
> set ping6 {
> typeof ip6 daddr . meta l4proto
you removed the limit line in the set declaration ?
> elements = { xxxx:43:a:83::2 . ipv6-icmp,
> xxxx:43:a:83::3 . ipv6-icmp,
> xxxx:43:a:83::4 . ipv6-icmp }
> }
> chain input {
> type filter hook input priority filter; policy drop;
> ip6 daddr . meta l4proto @ping6 accept
> }
> }
If you would like to throttle icmpv6 echo-request, the::
table ip6 filter {
set ping6 {
typeof ip6 daddr . icmpv6 type
limit rate 5/second
elements = { aaaa:43:a:83::2 . echo-request,
aaaa:43:a:83::3 . echo-request,
aaaa:43:a:83::4 . echo-request }
}
chain input {
type filter hook input priority filter; policy drop;
ip6 daddr . icmpv6 type @ping6 accept
}
}
Please, see the wiki for more examples on concatenations and sets/maps.
