From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Tom <tom@foscore.com>
Cc: Florian Westphal <fw@strlen.de>, netfilter@vger.kernel.org
Subject: Re: proper ICMPv6 syntax for specific daddr
Date: Wed, 7 Sep 2022 17:25:52 +0200 [thread overview]
Message-ID: <Yxi4APuir2m1mxUG@salvia> (raw)
In-Reply-To: <b812fc63-36ed-e6af-9c70-d9d75ff05f14@foscore.com>
On Wed, Sep 07, 2022 at 11:22:24AM -0400, Tom wrote:
> On 2022-09-07 10:58, Florian Westphal wrote:
> > Tom <tom@foscore.com> wrote:
> > > nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept
> > This is not related to ping, this ratelimits ALL of icmpv6.
> > Please use 'icmpv6 type { echo-request, echo-reply}'.
> > icmpv6 is integral part of ipv6, the above will ratelimit neighbour
> > solicitations, pmtu updates and so on as well.
>
> Ooh, that's not good. What about this, recommended by Pablo:
>
> table ip6 filter {
> set ping6 {
> typeof ip6 daddr . meta l4proto
> limit rate 5/second
> elements = { xxxx:43:a:83::2 . ipv6-icmp limit rate 5/second,
> xxxx:43:a:83::3 . ipv6-icmp limit rate 5/second,
> xxxx:43:a:83::4 . ipv6-icmp limit rate 5/second }
> }
> chain input {
> type filter hook input priority filter; policy drop;
> ip6 daddr . meta l4proto @ping6 accept
> }
>
> Is this OK?
My recommendation is to use concatenations and sets, not to ratelimit
_all_ icmpv6 traffic ;-)
next prev parent reply other threads:[~2022-09-07 15:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-07 14:10 proper ICMPv6 syntax for specific daddr Tom
2022-09-07 14:39 ` Pablo Neira Ayuso
2022-09-07 15:13 ` Tom
2022-09-07 14:58 ` Florian Westphal
2022-09-07 15:22 ` Tom
2022-09-07 15:25 ` Pablo Neira Ayuso [this message]
[not found] <dea61421-4ce1-bb68-2a74-88b6f42c299e@foscore.com>
2022-09-07 15:57 ` Fwd: " Tom
2022-09-08 8:46 ` Reindl Harald
2022-09-08 13:31 ` Tom
2022-09-08 14:23 ` Reindl Harald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yxi4APuir2m1mxUG@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
--cc=tom@foscore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.