'Re: [nftables] icmp type rate limiting - cumulative for the daddr or selectively per saddr?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: [nftables] icmp type rate limiting - cumulative for the daddr or selectively per saddr?
From:       Ñ½Ò‰á¶¬á¸ <vtol () gmx ! net>
Date:       2020-09-29 16:13:00
Message-ID: 49153cdf-da9d-c560-d46d-78b61f3783ec () gmx ! net
[Download RAW message or body]

On 29/09/2020 16:46, Florian Westphal wrote:
> =D1=BD=D2=89=E1=B6=AC=E1=B8=B3=E2=84=A0 <vtol@gmx.net> wrote:
>> https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchi=
ngs is
>> not clear whether the 'limit rate' stanza applies as:
>>
>> * cummulutive limit (from any/all saddr) for the daddr within the give=
n
>> period
> Its always the same, limit has no internal state other than the rate
> bucket.
>
> In all these examples the limit applies for every packet that makes
> it to the limit expression.
>
> So, f.e.:
> nft add rule filter input icmp type echo-request limit rate 10/second
> accept
>
> applies the limit to each icmp echo request.
>
Thank you for the clarification.

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic