[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: limit usage
From: Ignacio Freyre <nachofw () hotmail ! com>
Date: 2022-06-28 11:26:17
Message-ID: FRBP284MB01856E4314EE564A2124614BB5B89 () FRBP284MB0185 ! BRAP284 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
Hi guys, i'm hoping you clarify nftables usage of the kernels conntrack.
I've been having some ddos attacks on my dns servers so I used the notrack flag to \
avoid filling the conntrack table like so:
> add table ip raw
> add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy \
> accept; } add rule ip raw PREROUTING iif eno1 ip protocol {tcp, udp} th dport 53 \
> counter notrack
But then i though of also rate limiting by ipv4 source address, i was wandering if \
you could clarify in the case of the usage of the "limit" functionality if nftables \
is using the conntrack table or its own memory for the following config for the \
purpose of tracking the amount of packets that already arrived on the interface by \
source IP.
> add set my_filter_table dns_meter { type ipv4_addr . inet_service\; flags timeout, \
> dynamic \;} add rule my_filter_table my_input_chain tcp dport 53 ct state new add \
> u/dns_meter { ip saddr . tcp dport timeout 60s limit rate 20/second } accept
=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic