[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: What should happen when the size of a nftables set is reached?
From:       Mikhail Morfikov <mmorfikov () gmail ! com>
Date:       2019-04-30 21:36:18
Message-ID: fc4b75c5-648b-79d4-e536-c3b65d55feeb () gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


On 30/04/2019 22:54, Pablo Neira Ayuso wrote:
> Looks like a bug, the action "counter drop" seems to be ignore.
> 
> Does this counter bump once the set is full?
> 
> I'm refering to this rule:
> 
> add rule netdev traffic-control chain-icmp add @meter-icmp { ip saddr limit rate \
> over 10/minute burst 1 packets } counter drop 
Yes, it counts packets when the set is full:

        set meter-icmp {
                type ipv4_addr
                size 1
                flags dynamic,timeout
                timeout 1m
                elements = { 192.168.1.1 expires 54s791ms limit rate over 10/minute \
burst 1 packets }  }

        chain chain-icmp {
                add @meter-icmp { ip saddr limit rate over 10/minute burst 1 packets \
} counter packets 24 bytes 2016 drop  counter packets 43 bytes 3612 accept
        }

The counter goes up in the rate of 1/s.

From the first pinging host I get:

# ping 192.168.1.150
PING 192.168.1.150 (192.168.1.150): 56 data bytes
64 bytes from 192.168.1.150: seq=0 ttl=64 time=0.521 ms
64 bytes from 192.168.1.150: seq=6 ttl=64 time=0.432 ms
64 bytes from 192.168.1.150: seq=12 ttl=64 time=0.452 ms
64 bytes from 192.168.1.150: seq=18 ttl=64 time=0.394 ms
64 bytes from 192.168.1.150: seq=24 ttl=64 time=0.420 ms

And from the other (at the same time) I get all the pings
and they all hit the second rule.


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]