Viyurz/vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nftables: Split rate limiting rules into multiple lines.

Browse source
This commit is contained in:
Viyurz 2024-02-25 19:07:39 +01:00
parent d7190fcf6e
commit 675762fe6d
Signed by: Viyurz
SSH key fingerprint: SHA256:IskOHTmhHSJIvAt04N6aaxd5SZCVWW1Guf9tEcxIMj8
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
roles/nftables/templates/nftables.conf
View file

@ -37,11 +37,17 @@ table inet filter {
# Prevent DDoS
# Rate limiting
meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr }
meta nfproto ipv4 meter ratelimit4 \
{ ip saddr limit rate over 50/second burst 5 packets } \
add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter ratelimit6 \
{ ip6 saddr limit rate over 50/second burst 5 packets } \
add @blackhole_ipv6 { ip6 saddr }
# Max concurrent connections
meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
meta nfproto ipv4 meter connlimit4 \
{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter connlimit6 \
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
# Allow ICMP
meta l4proto icmp accept