nftables: Split rate limiting rules into multiple lines.

This commit is contained in:
Viyurz 2024-02-25 19:07:39 +01:00
parent d7190fcf6e
commit 675762fe6d
Signed by: Viyurz
SSH key fingerprint: SHA256:IskOHTmhHSJIvAt04N6aaxd5SZCVWW1Guf9tEcxIMj8

View file

@ -37,11 +37,17 @@ table inet filter {
# Prevent DDoS # Prevent DDoS
# Rate limiting # Rate limiting
meta nfproto ipv4 meter ratelimit4 { ip saddr limit rate over 50/second } add @blackhole_ipv4 { ip saddr } meta nfproto ipv4 meter ratelimit4 \
meta nfproto ipv6 meter ratelimit6 { ip6 saddr limit rate over 50/second } add @blackhole_ipv6 { ip6 saddr } { ip saddr limit rate over 50/second burst 5 packets } \
add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter ratelimit6 \
{ ip6 saddr limit rate over 50/second burst 5 packets } \
add @blackhole_ipv6 { ip6 saddr }
# Max concurrent connections # Max concurrent connections
meta nfproto ipv4 meter connlimit4 { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr } meta nfproto ipv4 meter connlimit4 \
meta nfproto ipv6 meter connlimit6 { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr } { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
meta nfproto ipv6 meter connlimit6 \
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
# Allow ICMP # Allow ICMP
meta l4proto icmp accept meta l4proto icmp accept