dst-limit not working?

changeip · February 6, 2007, 5:31pm

I am experimenting with synflood rules and have found that I cannot make dst-limit work at all…

add chain=synflood protocol=tcp tcp-flags=syn dst-limit=20,1,dst-address/20s action=return comment=“return on SYN packets (dst-rate-limited)” disabled=no

vs -

add chain=synflood protocol=tcp tcp-flags=syn limit=100,5 action=return comment=“return on SYN packets (dst-rate-limited)” disabled=no

The first rule uses dst-limit, notice I’ve set it to 20 with a burst of 1. If I look at the stats on that rule its way above 20pps and should be bypassed.

The second rule, in place of the first, works perfectly. Is dst-limit broken ?

Also - winbox shows 2000ms in the dst-limit rule, however the above output shows 20s … obviouslly thats not right either. 2000ms should be 2s, not 20s.

2.9.38

Thx,
Sam

changeip · February 6, 2007, 5:44pm

I also noticed that when changing this rule it doesn’t take effect until I completely remove dst-limit, apply, then add it back. Maybe this is the entire problem. Disabling and reenabling the rule doesn’t help, I have to change to limit= then back to dst-limit= and then it starts working again. Something is wrong with dst-limit : )

Sam