From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: rate limit not working ? Date: Tue, 20 Sep 2016 10:13:41 +0200 Message-ID: <20160920081341.GA2328@salvia> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org To: Christophe Leroy Return-path: Received: from mail.us.es ([193.147.175.20]:35740 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753190AbcITINv (ORCPT ); Tue, 20 Sep 2016 04:13:51 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id DE14F1E11A5 for ; Tue, 20 Sep 2016 10:13:49 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id CA587DA841 for ; Tue, 20 Sep 2016 10:13:49 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 450DBDA841 for ; Tue, 20 Sep 2016 10:13:42 +0200 (CEST) Content-Disposition: inline In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote: > Hi > > I tried to limit ping flooding by setting the following rule: > > nft add rule filter input icmp type echo-request limit rate 10/second accept This is matching packets under the rate, so packets under the rate are accepted. Your next rule, or default policy, should drop, so packets over the rate are dropped. You can invert this logic via: # nft add rule filter input icmp type echo-request limit rate over 10/second drop Does this work for you? Thanks.