vidhar: nftables...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-09 09:57:54 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-09 09:57:54 +0100
commit: 2e1de64766421a90588d6a7dc345ec556bb69bff (patch)
tree: 2c48970213ca599a0fd14cbf3e63cc50f7bee39d
parent: b94928f5fbfc3b2c49384c66577231c2ad5a13df (diff)
download: nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.gz
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.bz2
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.xz
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 100d9823..8421f78a 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,5 +1,34 @@
 define icmp_protos = { ipv6-icmp, icmp, igmp }
+table arp filter {
+  limit lim_arp_local {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  limit lim_arp_dsl {
+    rate over 1400 kbytes/second burst 1400 kbytes
+  }
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    oifname != dsl limit name lim_arp_local counter drop
+    oifname dsl limit name lim_arp_dsl counter drop
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname != dsl limit name lim_arp_local counter drop
+    oifname dsl limit name lim_arp_dsl counter drop
+    counter
+  }
+}
 table inet filter {
  limit lim_reject {
    rate over 1000/second burst 1000 packets
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-09 09:57:54 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-09 09:57:54 +0100
commit	2e1de64766421a90588d6a7dc345ec556bb69bff (patch)
tree	2c48970213ca599a0fd14cbf3e63cc50f7bee39d
parent	b94928f5fbfc3b2c49384c66577231c2ad5a13df (diff)
download	nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.gz nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.bz2 nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.xz nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.zip

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 100d9823..8421f78a 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft
@@ -1,5 +1,34 @@
1	define icmp_protos = { ipv6-icmp, icmp, igmp }	1	define icmp_protos = { ipv6-icmp, icmp, igmp }
2		2
		3	table arp filter {
		4	limit lim_arp_local {
		5	rate over 50 mbytes/second burst 50 mbytes
		6	}
		7	limit lim_arp_dsl {
		8	rate over 1400 kbytes/second burst 1400 kbytes
		9	}
		10
		11	chain input {
		12	type filter hook input priority filter
		13	policy accept
		14
		15	oifname != dsl limit name lim_arp_local counter drop
		16	oifname dsl limit name lim_arp_dsl counter drop
		17
		18	counter
		19	}
		20
		21	chain output {
		22	type filter hook output priority filter
		23	policy accept
		24
		25	oifname != dsl limit name lim_arp_local counter drop
		26	oifname dsl limit name lim_arp_dsl counter drop
		27
		28	counter
		29	}
		30	}
		31
3	table inet filter {	32	table inet filter {
4	limit lim_reject {	33	limit lim_reject {
5	rate over 1000/second burst 1000 packets	34	rate over 1000/second burst 1000 packets