Consider using rate limit via nftables
I haven't found a good example other than the one described here (use translate to get info)
It looks like a more flexible.
Example:
table inet mangle {
set localnet4 {
type ipv4_addr
flags interval
elements = {
100.64.0.0/10,
172.16.0.0/12,
10.0.0.0/16,
10.1.1.0/24
}
}
set localnet6 {
type ipv6_addr
flags interval
elements = {
fe80::/10,
fd00::/8
}
}
map poly_u_4 {
type ipv4_addr : verdict
flags interval
counter
}
map poly_d_4 {
type ipv4_addr : verdict
flags interval
counter
}
map poly_u_6 {
type ipv6_addr : verdict
flags interval
counter
}
map poly_d_6 {
type ipv6_addr : verdict
flags interval
counter
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
ip daddr @localnet4 ip saddr @localnet4 goto inet_down
ip6 daddr @localnet6 ip6 saddr @localnet6 goto inet_down
ip daddr vmap @poly_d_4
ip6 daddr vmap @poly_d_6
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
ip daddr @localnet4 ip saddr @localnet4 goto inet_down
ip6 daddr @localnet6 ip6 saddr @localnet6 goto inet_down
ip saddr vmap @poly_u_4
ip6 saddr vmap @poly_u_6
}
chain inet_down {
# If from localnet - accept
limit rate over 10000000 kbytes/second counter drop
}
}