From f9d56d3d2c720daf2679e9d03d75332c9d1bb7d5 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 8 Dec 2021 18:56:01 +0100
Subject: vidhar: nftables...

---
 hosts/vidhar/ruleset.nft | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index f02031b4..a996d914 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,4 +1,9 @@
 table inet filter {
+  chain reject-rl {
+    limit rate over 1024 / second burst 1024 packets counter drop
+  }
+
+
   chain forward {
     type filter hook forward priority filter
     policy drop
@@ -12,7 +17,10 @@ table inet filter {
     meta l4proto igmp counter accept
 
 
-    log prefix "drop forward: " counter
+    log prefix "reject forward: " counter
+    jump reject-rl
+    meta l4proto tcp counter reject with tcp reset
+    counter reject
   }
 
   chain input {
@@ -21,8 +29,8 @@ table inet filter {
 
 
     iifname lo counter accept
-    iif != lo ip daddr 127.0.0.1/8 counter drop
-    iif != lo ip6 daddr ::1/128 counter drop
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
 
     ct state {established, related} counter accept
 
@@ -36,7 +44,11 @@ table inet filter {
     meta l4proto icmp counter accept
     meta l4proto igmp counter accept
 
-    log prefix "drop input: " counter
+
+    log prefix "reject input: " counter
+    jump reject-rl
+    meta l4proto tcp counter reject with tcp reset
+    counter reject
   }
 
   chain output {
-- 
cgit v1.2.3