* nftables, prerouting and rate limiting
@ 2025-07-05 16:20 Brian J. Murrell
2025-07-05 23:58 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Brian J. Murrell @ 2025-07-05 16:20 UTC (permalink / raw)
To: netdev
Hello.
I'm hoping somebody can clarify something for me.
I understand that I can create filter rules that can rate limit
connections by creating first, an un-rate-limited rule that allows
"established" packets and then after that rule, create rules that allow
whatever various connections I want to allow and apply the rate
limiting on those rules. Effectively the rate limiting is only be
applied to the initial packets that are establishing a connection since
all other packets in a connection will be processed by the first,
"established connections" rule (without a rate-limit on it). Very
straightforward.
Where it gets fuzzy for me is with "type nat hook postrouting priority
srcnat" chains. If I have a chain:
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname { "eth0.2", "pppoe-wan1" } jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
}
along with:
chain dstnat_wan {
meta nfproto ipv4 tcp dport 25 limit rate 10/minute burst 5 packets counter packets 301 bytes 17120 dnat ip to 10.75.22.9:25 comment "SMTP"
}
In that case, is the rate limiting being applied to only connection
establishing packets (i.e. SYN, SYN/ACK three-way handshake packets in
the case of TCP as similar to the above description for the filter
case) or is it applying to every packet in the connection/stream?
Ultimately I am trying to figure out if I need to be using a different
accounting scale on rate limiting for dnat rules than I use for filter
rules because for the former do I need to account for every packet in a
connection/stream being counted vs. the latter where I only need to
account for the initial connection establishing packets being counted?
Cheers,
b.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nftables, prerouting and rate limiting
2025-07-05 16:20 nftables, prerouting and rate limiting Brian J. Murrell
@ 2025-07-05 23:58 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2025-07-05 23:58 UTC (permalink / raw)
To: Brian J. Murrell; +Cc: netdev
Brian J. Murrell <brian@interlinx.bc.ca> wrote:
> In that case, is the rate limiting being applied to only connection
> establishing packets (i.e. SYN, SYN/ACK three-way handshake packets in
> the case of TCP as similar to the above description for the filter
> case) or is it applying to every packet in the connection/stream?
It is only applied to the first ("new") packet. For tcp, to the
syn (but not any others including syn/ack).
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-07-05 23:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-05 16:20 nftables, prerouting and rate limiting Brian J. Murrell
2025-07-05 23:58 ` Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.