From 675762fe6d125f19fc600094b7513a461864ee95 Mon Sep 17 00:00:00 2001
From: Viyurz <viyurz@viyurz.fr>
Date: Sun, 25 Feb 2024 19:07:39 +0100
Subject: [PATCH] nftables: Split rate limiting rules into multiple lines.

---
 roles/nftables/templates/nftables.conf | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/roles/nftables/templates/nftables.conf b/roles/nftables/templates/nftables.conf
index 586e0b4..1a715c9 100755
--- a/roles/nftables/templates/nftables.conf
+++ b/roles/nftables/templates/nftables.conf
@@ -37,11 +37,17 @@ table inet filter {
 	
 		# Prevent DDoS
 		# Rate limiting
-		meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr }
-		meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr }
+		meta nfproto ipv4 meter ratelimit4 \
+			{ ip saddr limit rate over 50/second burst 5 packets } \
+			add @blackhole_ipv4 { ip saddr }
+		meta nfproto ipv6 meter ratelimit6 \
+			{ ip6 saddr limit rate over 50/second burst 5 packets } \
+			add @blackhole_ipv6 { ip6 saddr }
 		# Max concurrent connections
-		meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
-		meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
+		meta nfproto ipv4 meter connlimit4 \
+			{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
+		meta nfproto ipv6 meter connlimit6 \
+			{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
 
 		# Allow ICMP
 		meta l4proto icmp accept