用nftables限制ICMP洪水

我想弄清楚如何允许ICMP ping到nftables服务器而不受洪水攻击。

这是我的初始configuration：

table inet firewall { chain incoming { type filter hook input priority 0; policy drop; # established/related connections ct state { established, related } accept # ICMP ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept # ICMP ping dealt with separately to rate limit ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept ip protocol icmp icmp type echo-request limit rate 1/second accept } } 

但是，使用ping -f [IP_ADDRESS]泛洪显示大多数数据包正在通过。 当然每秒钟超过一次。

如果我删除ct state { established, related } accept规则，当试图洪水时，我得到99％的数据包丢失。

所以看起来第一个请求build立了一个连接，随后ping了这个规则，如果我把ct规则放在icmp规则后面，似乎并不重要。

任何方式允许build立连接，但仍然限速乒乓？

表inet防火墙{
    链传入{
        typesfilter钩子input优先级0; 政策下降;

         ICMP ping分别处理到限速
         ip6 nexthdr icmpv6 icmpv6types回声请求限制率1 /秒接受
         ip6 nexthdr icmpv6 icmpv6types的回声请求计数器下降
         ip协议icmp icmptypes回声请求限制率1 /秒接受
         ip协议icmp icmptypes回声请求计数器下降

         ＃build立/相关的连接
         ct国家{build立，相关}接受

         ＃ICMP
         ip6 nexthdr icmpv6 icmpv6 type {destination-unreachable，packet-too-big，超时，参数问题，echo-r​​eply，nd-router-advert，nd-neighbor-solicit，nd-neighbor-advert}接受
         ip protocol icmp icmp type {destination-unreachable，router-advertisement，time-exceeded，parameter-problem} accept

     }
 }