Talk:Rate limiting matchings

From nftables wiki
Revision as of 19:51, 16 June 2020 by Glloyd (talk | contribs) (Adding some questions on ICMP, IGMP, and rate limiting)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(1) I'm not an expert so more examples on rate-limited ICMP rules would be very helpful.

(2) Which ICMP packet types should be allowed? All? Or only certain types?

(3) Is IGMP ok to allow all packets on?

I've seen rules like this but I don't know enough to understand what the impact would be. I also don't fully understand what 'meta l4proto' is doing (From ArchWiki: https://wiki.archlinux.org/index.php/Nftables)

meta l4proto ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"

meta l4proto icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"

ip protocol igmp accept comment "Accept IGMP"