summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-09 09:29:19 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-09 09:29:19 +0100
commitca072da5df2f40b4fd652266bf14590bbf661857 (patch)
treef7cb946062bd290f27d2b786f6c6c5a849a8fe79
parent021902ea1d370cf1b3b4c5862eb67354941f2884 (diff)
downloadnixos-ca072da5df2f40b4fd652266bf14590bbf661857.tar
nixos-ca072da5df2f40b4fd652266bf14590bbf661857.tar.gz
nixos-ca072da5df2f40b4fd652266bf14590bbf661857.tar.bz2
nixos-ca072da5df2f40b4fd652266bf14590bbf661857.tar.xz
nixos-ca072da5df2f40b4fd652266bf14590bbf661857.zip
vidhar: nftables...
-rw-r--r--hosts/vidhar/ruleset.nft23
1 files changed, 15 insertions, 8 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index f0ea3d24..5a6d2c4e 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,6 +1,13 @@
1table inet filter { 1table inet filter {
2 limit lim_reject { 2 limit lim_reject {
3 rate over 1000 / second burst 1000 packets 3 rate over 1000/second burst 1000 packets
4 }
5
6 limit lim_icmp_local {
7 rate 10 mbytes/second burst 10 mbytes
8 }
9 limit lim_icmp_dsl {
10 rate 1 mbytes/second burst 1 mbytes
4 } 11 }
5 12
6 13
@@ -12,12 +19,13 @@ table inet filter {
12 ct state invalid log prefix "drop invalid forward: " counter drop 19 ct state invalid log prefix "drop invalid forward: " counter drop
13 20
14 21
22 iifname lo counter accept
23
15 iifname eno1 oifname dsl counter accept 24 iifname eno1 oifname dsl counter accept
16 iifname dsl oifname eno1 ct state {established, related} counter accept 25 iifname dsl oifname eno1 ct state {established, related} counter accept
17 26
18 meta l4proto ipv6-icmp counter accept 27 oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local accept
19 meta l4proto icmp counter accept 28 oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl accept
20 meta l4proto igmp counter accept
21 29
22 30
23 limit name lim_reject log prefix "drop forward: " counter drop 31 limit name lim_reject log prefix "drop forward: " counter drop
@@ -47,11 +55,10 @@ table inet filter {
47 meta protocol ip udp dport 51820 counter accept 55 meta protocol ip udp dport 51820 counter accept
48 udp dport 60000-61000 counter accept 56 udp dport 60000-61000 counter accept
49 57
50 iifname "dsl" meta protocol ip6 udp dport 546 udp sport 547 counter accept 58 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
51 59
52 meta l4proto ipv6-icmp counter accept 60 iifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
53 meta l4proto icmp counter accept 61 iifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
54 meta l4proto igmp counter accept
55 62
56 63
57 limit name lim_reject log prefix "drop input: " counter drop 64 limit name lim_reject log prefix "drop input: " counter drop