Consider using rate limit via nftables
I haven't found a good example other than the one described here (use translate to get info)
It looks like a more flexible.
Example:
table inet mangle { set localnet4 { type ipv4_addr flags interval elements = { 100.64.0.0/10, 172.16.0.0/12, 10.0.0.0/16, 10.1.1.0/24 } } set localnet6 { type ipv6_addr flags interval elements = { fe80::/10, fd00::/8 } } map poly_u_4 { type ipv4_addr : verdict flags interval counter } map poly_d_4 { type ipv4_addr : verdict flags interval counter } map poly_u_6 { type ipv6_addr : verdict flags interval counter } map poly_d_6 { type ipv6_addr : verdict flags interval counter } chain POSTROUTING { type filter hook postrouting priority mangle; policy accept; ip daddr @localnet4 ip saddr @localnet4 goto inet_down ip6 daddr @localnet6 ip6 saddr @localnet6 goto inet_down ip daddr vmap @poly_d_4 ip6 daddr vmap @poly_d_6 } chain PREROUTING { type filter hook prerouting priority mangle; policy accept; ip daddr @localnet4 ip saddr @localnet4 goto inet_down ip6 daddr @localnet6 ip6 saddr @localnet6 goto inet_down ip saddr vmap @poly_u_4 ip6 saddr vmap @poly_u_6 } chain inet_down { # If from localnet - accept limit rate over 10000000 kbytes/second counter drop } }