rate limit not working ?

All of lore.kernel.org
 help / color / mirror / Atom feed

* rate limit not working ?
@ 2016-09-16 16:50 Christophe Leroy
  2016-09-20  8:13 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Christophe Leroy @ 2016-09-16 16:50 UTC (permalink / raw)
  To: netfilter, netfilter-devel, Pablo Neira Ayuso

Hi

I tried to limit ping flooding by setting the following rule:

nft add rule filter input icmp type echo-request limit rate 10/second accept

But it doesn't work, I can still ping flood the target.
What I see is that nft_limit_pkts_eval() is called only once at the 
begining of the flood.
After, during do_nft_chain(), regs.verdict.code is changed from -1 to 1 
by a call to nft_immediate_eval() earlier in the loop.

How can I investigate that issue ?

Using linux kernel 4.4.21

Christophe

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: rate limit not working ?
  2016-09-16 16:50 rate limit not working ? Christophe Leroy
@ 2016-09-20  8:13 ` Pablo Neira Ayuso
  2016-09-20 11:14     ` Christophe Leroy
  0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-09-20  8:13 UTC (permalink / raw)
  To: Christophe Leroy; +Cc: netfilter, netfilter-devel

On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
> Hi
> 
> I tried to limit ping flooding by setting the following rule:
> 
> nft add rule filter input icmp type echo-request limit rate 10/second accept

This is matching packets under the rate, so packets under the rate are
accepted.

Your next rule, or default policy, should drop, so packets over the
rate are dropped.

You can invert this logic via:

 # nft add rule filter input icmp type echo-request limit rate over 10/second drop

Does this work for you?

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: rate limit not working ?
  2016-09-20  8:13 ` Pablo Neira Ayuso
@ 2016-09-20 11:14     ` Christophe Leroy
  0 siblings, 0 replies; 4+ messages in thread
From: Christophe Leroy @ 2016-09-20 11:14 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter, netfilter-devel



Le 20/09/2016 à 10:13, Pablo Neira Ayuso a écrit :
> On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
>> Hi
>>
>> I tried to limit ping flooding by setting the following rule:
>>
>> nft add rule filter input icmp type echo-request limit rate 10/second accept
>
> This is matching packets under the rate, so packets under the rate are
> accepted.
>
> Your next rule, or default policy, should drop, so packets over the
> rate are dropped.
>
> You can invert this logic via:
>
>  # nft add rule filter input icmp type echo-request limit rate over 10/second drop
>

That didn't work either, but in fact I found the issue: I have a rule 
'ct state established, related accept' earlier in the ruleset, so only 
the first ping packet reached the rate limitation rule.

Putting the rate limitation rules before that ct state rule, it works as 
expected.

Thanks for your help

Christophe
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: rate limit not working ?
@ 2016-09-20 11:14     ` Christophe Leroy
  0 siblings, 0 replies; 4+ messages in thread
From: Christophe Leroy @ 2016-09-20 11:14 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter, netfilter-devel



Le 20/09/2016 à 10:13, Pablo Neira Ayuso a écrit :
> On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
>> Hi
>>
>> I tried to limit ping flooding by setting the following rule:
>>
>> nft add rule filter input icmp type echo-request limit rate 10/second accept
>
> This is matching packets under the rate, so packets under the rate are
> accepted.
>
> Your next rule, or default policy, should drop, so packets over the
> rate are dropped.
>
> You can invert this logic via:
>
>  # nft add rule filter input icmp type echo-request limit rate over 10/second drop
>

That didn't work either, but in fact I found the issue: I have a rule 
'ct state established, related accept' earlier in the ruleset, so only 
the first ping packet reached the rate limitation rule.

Putting the rate limitation rules before that ct state rule, it works as 
expected.

Thanks for your help

Christophe

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-09-20 11:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-16 16:50 rate limit not working ? Christophe Leroy
2016-09-20  8:13 ` Pablo Neira Ayuso
2016-09-20 11:14   ` Christophe Leroy
2016-09-20 11:14     ` Christophe Leroy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.