nftables: Split rate limiting rules into multiple lines.
This commit is contained in:
parent
d7190fcf6e
commit
675762fe6d
1 changed files with 10 additions and 4 deletions
|
@ -37,11 +37,17 @@ table inet filter {
|
||||||
|
|
||||||
# Prevent DDoS
|
# Prevent DDoS
|
||||||
# Rate limiting
|
# Rate limiting
|
||||||
meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr }
|
meta nfproto ipv4 meter ratelimit4 \
|
||||||
meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr }
|
{ ip saddr limit rate over 50/second burst 5 packets } \
|
||||||
|
add @blackhole_ipv4 { ip saddr }
|
||||||
|
meta nfproto ipv6 meter ratelimit6 \
|
||||||
|
{ ip6 saddr limit rate over 50/second burst 5 packets } \
|
||||||
|
add @blackhole_ipv6 { ip6 saddr }
|
||||||
# Max concurrent connections
|
# Max concurrent connections
|
||||||
meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
|
meta nfproto ipv4 meter connlimit4 \
|
||||||
meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
|
{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
|
||||||
|
meta nfproto ipv6 meter connlimit6 \
|
||||||
|
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
|
||||||
|
|
||||||
# Allow ICMP
|
# Allow ICMP
|
||||||
meta l4proto icmp accept
|
meta l4proto icmp accept
|
||||||
|
|
Loading…
Reference in a new issue