nftables does not limit ipv6 traffic in rate limit rule in bridge and ip6 family

I have a wifi router where the wlan0 interface (radio interface) is bridged with the ethernet interface eth0 (connected to another server acting as DHCP)

/ # brctl show br0
bridge name     bridge id               STP enabled     interfaces
br0             8000.bce67c4d8fb0       no              eth0

Linux Kernel version: 4.4.60
nftables version: v0.9.6

I was trying to setup a rule in ip6 family to rate-limit ipv6 traffic. Here is my rule:

/ # nft list chain ip6 ngadre_rate_limiting ngadre_counter
table ip6 ngadre_rate_limiting {
        chain ngadre_counter {
                type filter hook prerouting priority raw; policy accept;
                limit rate 625 kbytes/second counter packets 1945 bytes 609744 accept
                counter packets 0 bytes 0 drop

When I run sudo ping6 2006:db8:0:f101::10 -i 0.1 the rule is hit and counter are incrementing. But when I run iperf3 -V -c 2006:db8:0:f101::10 -p5678 -i1 -tinf, the rule is not hit counters are not incrementing and traffic is not rate limited.

I applied the rule following this wiki:

nft add rule filter input limit rate 10 mbytes/second accept

Am I missing something in the ip6 rule ?

UPDATE 1: I tried with limit rate 2/second and tried fast ping6 -i 0.1, here rule is being hit and drop counters incrementing, also ping6 is being rate limited to 2 packets per second. THat means with icmpv6 there doesn’t seem any issue with limit rate, but when I try iperf3, this rule does not even hit and drop counters also not incrementing.

Asked By: Haswell


After some internal help from my org, there are certain rules added elsewhere where marking is happening on packets, which I cannot share on open forum. Based on that the packets were skipping the rate limit rule. I resolved that issue by setting proper marks.

Answered By: Haswell