On Thu, Sep 08, 2022 at 11:43:01AM -0400, Tom wrote:
> On 2022-09-08 11:13, Pablo Neira Ayuso wrote:
> > you removed the limit line in the set declaration ?
>
> Yes, after I failed to get the right syntax to combine it with the ICMP type.
>
> > If you would like to throttle icmpv6 echo-request, the::
> >
> > table ip6 filter {
> > set ping6 {
> > typeof ip6 daddr . icmpv6 type
> > limit rate 5/second
> > elements = { aaaa:43:a:83::2 . echo-request,
> > aaaa:43:a:83::3 . echo-request,
> > aaaa:43:a:83::4 . echo-request }
> > }
> > chain input {
> > type filter hook input priority filter; policy drop;
> > ip6 daddr . icmpv6 type @ping6 accept
> > }
> > }
>
> Thanks. I wouldn't have found that syntax in a quintillion years.
It was the same as the example I posted, I just replaced 'meta l4proto' by
'icmpv6 type' ;-)
> > Please, see the wiki for more examples on concatenations and sets/maps.
>
> I've gone through it. As someone who's been programming and
> configuring computers for over forty years, I can tell you that the
> wiki documentation is not good. It seems to be written by and for
> nft developers.
Documentation can always be improved, it got better over time. We have
a good number of contributors that are not developers.
