操作系统：debian buster (stable)
运行环境：virtualbox 虚拟机
网络设置：bridge
nftables 版本：0.9.0

ping 命令：psping64 -t -i 0 192.168.1.177

比如，我想限制每秒只处理一个 icmp echo-request，规则配置文件如下：

#!/usr/sbin/nft -f
flush ruleset

define ICMP_TYPES = {
    destination-unreachable,
    time-exceeded,
    parameter-problem,
    router-solicitation,
    router-advertisement
}

define ICMPV6_TYPES = {
    destination-unreachable,
    packet-too-big,
    time-exceeded,
    parameter-problem,
    mld-listener-query,
    mld-listener-report,
    mld-listener-done,
    mld-listener-reduction,
    nd-router-solicit,
    nd-router-advert,
    nd-neighbor-solicit,
    nd-neighbor-advert,
    ind-neighbor-solicit,
    ind-neighbor-advert,
    mld2-listener-report
}


table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        iif lo accept
        ct state invalid drop
        ct state { established, related } accept

        icmp type echo-request limit rate 1/second accept

        icmpv6 icmpv6 type $ICMPV6_TYPES accept
        icmp icmp type $ICMP_TYPES accept

        ip protocol igmp accept

        tcp dport { ssh } accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

使用 fast ping 工具测试时，平均间隔 0.68ms 左右，且 0% loss 。 我尝试过添加下面的规则试图抛弃超过限制的，结果没有变化。

icmp type echo-request limit rate over 1/second drop

还尝试过 burst packets 语句，也没有用。