Rate limiting matchings

From nftables wiki
Revision as of 18:44, 13 July 2016 by Pablo (talk | contribs) (Created page with "You can ratelimit traffic through ''limit''. The following example shows how to accept a maximum of 10 ICMP echo-request packets per second: <source lang="bash"> % nft add r...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

You can ratelimit traffic through limit.

The following example shows how to accept a maximum of 10 ICMP echo-request packets per second:

% nft add rule filter input icmp type echo-request limit rate 10/second accept

Since Linux kernel 4.3, you can also ratelimit per bytes:

% nft add rule filter input limit rate 10 mbytes/second accept

The rule above accepts traffic below the 10 mbytes/seconds rate.

You can also use the burst parameter to indicate the number of packets/bytes you can exceed the ratelimit:

% nft add rule filter input limit rate 10 mbytes/second burst 9000 kbytes accept

This indicates that you can exceed the ratelimit in 9000 kbytes.

You can also use it for packets:

% nft add rule filter input icmp type echo-request limit rate 10/second burst 2 packets counter accept

So you can exceed the rate in 2 packets.

The limit expression, you can use this for traffic policing from ingress too, as alternative to tc from the new netdev family.