diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-08 21:46:34 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-08 21:46:34 +0100 |
| commit | 1f3b17295865aec3eefeb0d8faece57eafe958a4 (patch) | |
| tree | 3faf3cb75a50dd70f72f73e006df7125ec2a71de /hosts/vidhar/ruleset.nft | |
| parent | 1bbe055b5a8572bf5b719e7476f6e15ad2a35de1 (diff) | |
| download | nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar.gz nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar.bz2 nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar.xz nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.zip | |
vidhar: nftables: named reject limit
Diffstat (limited to 'hosts/vidhar/ruleset.nft')
| -rw-r--r-- | hosts/vidhar/ruleset.nft | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index ae3bb694..5263f97e 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | table inet filter { | 1 | table inet filter { |
| 2 | chain reject-rl { | 2 | limit lim_reject { |
| 3 | limit rate over 1000 / second burst 1000 packets counter drop | 3 | rate over 1000 / second burst 1000 packets |
| 4 | } | 4 | } |
| 5 | 5 | ||
| 6 | 6 | ||
| @@ -17,11 +17,10 @@ table inet filter { | |||
| 17 | meta l4proto igmp counter accept | 17 | meta l4proto igmp counter accept |
| 18 | 18 | ||
| 19 | 19 | ||
| 20 | limit name lim_reject log prefix "drop forward: " counter drop | ||
| 20 | log prefix "reject forward: " counter | 21 | log prefix "reject forward: " counter |
| 21 | jump reject-rl | ||
| 22 | meta l4proto tcp ct state new counter reject with tcp reset | 22 | meta l4proto tcp ct state new counter reject with tcp reset |
| 23 | ct state new counter reject | 23 | ct state new counter reject |
| 24 | counter | ||
| 25 | } | 24 | } |
| 26 | 25 | ||
| 27 | chain input { | 26 | chain input { |
| @@ -46,11 +45,10 @@ table inet filter { | |||
| 46 | meta l4proto igmp counter accept | 45 | meta l4proto igmp counter accept |
| 47 | 46 | ||
| 48 | 47 | ||
| 48 | limit name lim_reject log prefix "drop input: " counter drop | ||
| 49 | log prefix "reject input: " counter | 49 | log prefix "reject input: " counter |
| 50 | jump reject-rl | ||
| 51 | meta l4proto tcp ct state new counter reject with tcp reset | 50 | meta l4proto tcp ct state new counter reject with tcp reset |
| 52 | ct state new counter reject | 51 | ct state new counter reject |
| 53 | counter | ||
| 54 | } | 52 | } |
| 55 | 53 | ||
| 56 | chain output { | 54 | chain output { |