[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    limit usage
From:       Ignacio Freyre <nachofw () hotmail ! com>
Date:       2022-06-28 11:26:17
Message-ID: FRBP284MB01856E4314EE564A2124614BB5B89 () FRBP284MB0185 ! BRAP284 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]

Hi guys, i'm hoping you clarify nftables usage of the kernels conntrack.

I've been having some ddos attacks on my dns servers so I used the notrack flag to \
avoid filling the conntrack table like so:

> add table ip raw
> add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy \
> accept; } add rule ip raw PREROUTING iif eno1 ip protocol {tcp, udp} th dport 53 \
> counter notrack

But then i though of also rate limiting by ipv4 source address, i was wandering if \
you could clarify in the case of the usage of the "limit" functionality if nftables \
is using the conntrack table or its own memory for the following config for the \
purpose of tracking the amount of packets that already arrived on the interface by \
source IP.

> add set my_filter_table dns_meter { type ipv4_addr . inet_service\; flags timeout, \
> dynamic \;} add rule my_filter_table my_input_chain tcp dport 53 ct state new add \
> u/dns_meter { ip saddr . tcp dport timeout 60s limit rate 20/second } accept
=


[prev in list] [next in list] [prev in thread] [next in thread]