diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-08 21:46:34 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-08 21:46:34 +0100 |
commit | 1f3b17295865aec3eefeb0d8faece57eafe958a4 (patch) | |
tree | 3faf3cb75a50dd70f72f73e006df7125ec2a71de /hosts/vidhar/ruleset.nft | |
parent | 1bbe055b5a8572bf5b719e7476f6e15ad2a35de1 (diff) | |
download | nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar.gz nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar.bz2 nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.tar.xz nixos-1f3b17295865aec3eefeb0d8faece57eafe958a4.zip |
vidhar: nftables: named reject limit
Diffstat (limited to 'hosts/vidhar/ruleset.nft')
-rw-r--r-- | hosts/vidhar/ruleset.nft | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index ae3bb694..5263f97e 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft | |||
@@ -1,6 +1,6 @@ | |||
1 | table inet filter { | 1 | table inet filter { |
2 | chain reject-rl { | 2 | limit lim_reject { |
3 | limit rate over 1000 / second burst 1000 packets counter drop | 3 | rate over 1000 / second burst 1000 packets |
4 | } | 4 | } |
5 | 5 | ||
6 | 6 | ||
@@ -17,11 +17,10 @@ table inet filter { | |||
17 | meta l4proto igmp counter accept | 17 | meta l4proto igmp counter accept |
18 | 18 | ||
19 | 19 | ||
20 | limit name lim_reject log prefix "drop forward: " counter drop | ||
20 | log prefix "reject forward: " counter | 21 | log prefix "reject forward: " counter |
21 | jump reject-rl | ||
22 | meta l4proto tcp ct state new counter reject with tcp reset | 22 | meta l4proto tcp ct state new counter reject with tcp reset |
23 | ct state new counter reject | 23 | ct state new counter reject |
24 | counter | ||
25 | } | 24 | } |
26 | 25 | ||
27 | chain input { | 26 | chain input { |
@@ -46,11 +45,10 @@ table inet filter { | |||
46 | meta l4proto igmp counter accept | 45 | meta l4proto igmp counter accept |
47 | 46 | ||
48 | 47 | ||
48 | limit name lim_reject log prefix "drop input: " counter drop | ||
49 | log prefix "reject input: " counter | 49 | log prefix "reject input: " counter |
50 | jump reject-rl | ||
51 | meta l4proto tcp ct state new counter reject with tcp reset | 50 | meta l4proto tcp ct state new counter reject with tcp reset |
52 | ct state new counter reject | 51 | ct state new counter reject |
53 | counter | ||
54 | } | 52 | } |
55 | 53 | ||
56 | chain output { | 54 | chain output { |