Query regarding behaviour of Nftables over Iptables
Hi,
We had a query regarding rate limiting feature in Nftables. We are using Nft version 0.8.3 on Ubuntu 17.01 and the kernel is 4.13.0.32.
Certain rate-limiting rules have been configured for ICMP traffic as shown below:
chain INGRESS_ECHO_REQUEST {
ct state { established, new} limit rate 25/second burst 8 packets counter packets 0 bytes 0 accept # handle 42
counter packets 0 bytes 0 jump INGRESS_RATELIMIT_CHAIN # handle 43
}
The number of packets rate-limited when using Iptables is vastly different when compared to Nftables. The attachment shows the traffic performance of the two.
We are unable to figure out why Nftables accepts an extra 32 packets in each case. We are at a crucial juncture in our project and would be really grateful if you could help us figure out this issue. Else there is a serious possibility of scrapping Nftables and switching back to Iptables.
Last edited by abzalute; 05-10-2018 at 03:54 AM.
Reason: Table is not displayed properly
|