Re: nftables rate limiting per multiple seconds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is really inconvenient that we cant rate limit the packets for
multiple seconds , we have only the close enough but not 100% right in
edge cases.
"1/second burst 10 packets" should be close enough. The bucket will be
initialised with 10 tokens and refilled at a rate of 1 per second.

I really cant have an alternative for below please
iptables-translate  -A rms0  -p tcp --dport 8000 -m state --state NEW
-m recent --update --seconds 10 --hitcount 15 -j DROP
nft # -A rms0 -p tcp --dport 8000 -m state --state NEW -m recent
--update --seconds 10 --hitcount 15 -j DROP

Thanks
Sreedhar

On Wed, Mar 6, 2024 at 10:39 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
>
> On Wed, 6 Mar 2024 22:11:49 +0000
> Sreedhar M <sreemtech@xxxxxxxxx> wrote:
>
> > Hello Team
> >
> > I am currently working on configuring rate limiting rules with nft and
> > have encountered a challenge. ex: I would appreciate your guidance in
> > achieving a rate limit of 10 ICMP echo-request packets within a
> > 10-second interval.
> >
> > Here is an example rule
> > example : nft add rule filter input icmp type echo-request limit rate
> > over 10/second drop
> >
> > I understand that nft doesn't directly support specifying rates in the
> > format "10/10 seconds," and I'm seeking advice on how to adjust the
> > parameters to achieve the desired rate limiting behaviour.
> >
> > Your assistance on this matter would be greatly appreciated.
>
> "1/second burst 10 packets" should be close enough. The bucket will be initialised with 10 tokens and refilled at a rate of 1 per second.
>
> --
> Kerin Millar



-- 
Best Regards
Sreedhar





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux