summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-12-09 09:57:54 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-12-09 09:57:54 +0100
commit2e1de64766421a90588d6a7dc345ec556bb69bff (patch)
tree2c48970213ca599a0fd14cbf3e63cc50f7bee39d
parentb94928f5fbfc3b2c49384c66577231c2ad5a13df (diff)
downloadnixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.gz
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.bz2
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.tar.xz
nixos-2e1de64766421a90588d6a7dc345ec556bb69bff.zip
vidhar: nftables...
-rw-r--r--hosts/vidhar/ruleset.nft29
1 files changed, 29 insertions, 0 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 100d9823..8421f78a 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,5 +1,34 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp } 1define icmp_protos = { ipv6-icmp, icmp, igmp }
2 2
3table arp filter {
4 limit lim_arp_local {
5 rate over 50 mbytes/second burst 50 mbytes
6 }
7 limit lim_arp_dsl {
8 rate over 1400 kbytes/second burst 1400 kbytes
9 }
10
11 chain input {
12 type filter hook input priority filter
13 policy accept
14
15 oifname != dsl limit name lim_arp_local counter drop
16 oifname dsl limit name lim_arp_dsl counter drop
17
18 counter
19 }
20
21 chain output {
22 type filter hook output priority filter
23 policy accept
24
25 oifname != dsl limit name lim_arp_local counter drop
26 oifname dsl limit name lim_arp_dsl counter drop
27
28 counter
29 }
30}
31
3table inet filter { 32table inet filter {
4 limit lim_reject { 33 limit lim_reject {
5 rate over 1000/second burst 1000 packets 34 rate over 1000/second burst 1000 packets