* rate limit not working ?
@ 2016-09-16 16:50 Christophe Leroy
2016-09-20 8:13 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Christophe Leroy @ 2016-09-16 16:50 UTC (permalink / raw)
To: netfilter, netfilter-devel, Pablo Neira Ayuso
Hi
I tried to limit ping flooding by setting the following rule:
nft add rule filter input icmp type echo-request limit rate 10/second accept
But it doesn't work, I can still ping flood the target.
What I see is that nft_limit_pkts_eval() is called only once at the
begining of the flood.
After, during do_nft_chain(), regs.verdict.code is changed from -1 to 1
by a call to nft_immediate_eval() earlier in the loop.
How can I investigate that issue ?
Using linux kernel 4.4.21
Christophe
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: rate limit not working ?
2016-09-16 16:50 rate limit not working ? Christophe Leroy
@ 2016-09-20 8:13 ` Pablo Neira Ayuso
2016-09-20 11:14 ` Christophe Leroy
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-09-20 8:13 UTC (permalink / raw)
To: Christophe Leroy; +Cc: netfilter, netfilter-devel
On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
> Hi
>
> I tried to limit ping flooding by setting the following rule:
>
> nft add rule filter input icmp type echo-request limit rate 10/second accept
This is matching packets under the rate, so packets under the rate are
accepted.
Your next rule, or default policy, should drop, so packets over the
rate are dropped.
You can invert this logic via:
# nft add rule filter input icmp type echo-request limit rate over 10/second drop
Does this work for you?
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: rate limit not working ?
2016-09-20 8:13 ` Pablo Neira Ayuso
@ 2016-09-20 11:14 ` Christophe Leroy
0 siblings, 0 replies; 3+ messages in thread
From: Christophe Leroy @ 2016-09-20 11:14 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter, netfilter-devel
Le 20/09/2016 à 10:13, Pablo Neira Ayuso a écrit :
> On Fri, Sep 16, 2016 at 06:50:22PM +0200, Christophe Leroy wrote:
>> Hi
>>
>> I tried to limit ping flooding by setting the following rule:
>>
>> nft add rule filter input icmp type echo-request limit rate 10/second accept
>
> This is matching packets under the rate, so packets under the rate are
> accepted.
>
> Your next rule, or default policy, should drop, so packets over the
> rate are dropped.
>
> You can invert this logic via:
>
> # nft add rule filter input icmp type echo-request limit rate over 10/second drop
>
That didn't work either, but in fact I found the issue: I have a rule
'ct state established, related accept' earlier in the ruleset, so only
the first ping packet reached the rate limitation rule.
Putting the rate limitation rules before that ct state rule, it works as
expected.
Thanks for your help
Christophe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-09-20 11:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-16 16:50 rate limit not working ? Christophe Leroy
2016-09-20 8:13 ` Pablo Neira Ayuso
2016-09-20 11:14 ` Christophe Leroy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).