[nftables] Add blackholes counters
This commit is contained in:
parent
e6fce28ee0
commit
9c7ad280f9
SSH key fingerprint:
SHA256:IskOHTmhHSJIvAt04N6aaxd5SZCVWW1Guf9tEcxIMj8
1 changed files with 4 additions and 4 deletions
|
|
@ -41,15 +41,15 @@ table inet filter {
|
|||
# Rate limiting
|
||||
meta nfproto ipv4 meter ratelimit4 \
|
||||
{ ip saddr limit rate over 75/second burst 15 packets } \
|
||||
add @blackhole_ipv4 { ip saddr }
|
||||
add @blackhole_ipv4 { ip saddr } counter
|
||||
meta nfproto ipv6 meter ratelimit6 \
|
||||
{ ip6 saddr limit rate over 75/second burst 15 packets } \
|
||||
add @blackhole_ipv6 { ip6 saddr }
|
||||
add @blackhole_ipv6 { ip6 saddr } counter
|
||||
# Max concurrent connections
|
||||
meta nfproto ipv4 meter connlimit4 \
|
||||
{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr }
|
||||
{ ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr } counter
|
||||
meta nfproto ipv6 meter connlimit6 \
|
||||
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr }
|
||||
{ ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr } counter
|
||||
|
||||
# Allow ICMP
|
||||
meta l4proto icmp accept
|
||||
|
|
|
|||
Loading…
Reference in a new issue