This is really inconvenient that we cant rate limit the packets for multiple seconds , we have only the close enough but not 100% right in edge cases. "1/second burst 10 packets" should be close enough. The bucket will be initialised with 10 tokens and refilled at a rate of 1 per second. I really cant have an alternative for below please iptables-translate -A rms0 -p tcp --dport 8000 -m state --state NEW -m recent --update --seconds 10 --hitcount 15 -j DROP nft # -A rms0 -p tcp --dport 8000 -m state --state NEW -m recent --update --seconds 10 --hitcount 15 -j DROP Thanks Sreedhar On Wed, Mar 6, 2024 at 10:39 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote: > > On Wed, 6 Mar 2024 22:11:49 +0000 > Sreedhar M <sreemtech@xxxxxxxxx> wrote: > > > Hello Team > > > > I am currently working on configuring rate limiting rules with nft and > > have encountered a challenge. ex: I would appreciate your guidance in > > achieving a rate limit of 10 ICMP echo-request packets within a > > 10-second interval. > > > > Here is an example rule > > example : nft add rule filter input icmp type echo-request limit rate > > over 10/second drop > > > > I understand that nft doesn't directly support specifying rates in the > > format "10/10 seconds," and I'm seeking advice on how to adjust the > > parameters to achieve the desired rate limiting behaviour. > > > > Your assistance on this matter would be greatly appreciated. > > "1/second burst 10 packets" should be close enough. The bucket will be initialised with 10 tokens and refilled at a rate of 1 per second. > > -- > Kerin Millar -- Best Regards Sreedhar
