Shorten rules and fix behaviour of meters

2021-06-20 14:20:08 +00:00 · 2021-06-20 14:20:08 +00:00 · 57293a6ce7
parent ae88d3bee0
commit 57293a6ce7
4 changed files with 8 additions and 14 deletions
--- a/config/nftables/APKBUILD
+++ b/config/nftables/APKBUILD
@ -3,9 +3,9 @@

 . ../APKBUILD-config.template

-pkgver=2021.06.19.04
+pkgver=2021.06.20.04
 pkgrel=0
-options="!check" # check requires root???????
+options="!check" # check requires root?

 subpackages="
 	$pkgname-base
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base
@ -1,2 +1,2 @@
-ct state new iifname "eth0" limit rate over 1/second burst 50 packets add @blackhole4 { ip  saddr } counter;
-ct state new iifname "eth0" limit rate over 1/second burst 50 packets add @blackhole6 { ip6 saddr } counter;
+ct state new iifname "eth0" meter global4 { ip  saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole4 { ip  saddr } counter;
+ct state new iifname "eth0" meter global6 { ip6 saddr timeout 1m limit rate over 1/second burst 50 packets } add @blackhole6 { ip6 saddr } counter;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/dovecot
@ -1,4 +1,2 @@
-tcp dport 143 ct state new limit rate over 4/minute burst 10 packets add @blackhole4 { ip  saddr } counter;
-tcp dport 143 ct state new limit rate over 4/minute burst 10 packets add @blackhole6 { ip6 saddr } counter;
-tcp dport 993 ct state new limit rate over 4/minute burst 10 packets add @blackhole4 { ip  saddr } counter;
-tcp dport 993 ct state new limit rate over 4/minute burst 10 packets add @blackhole6 { ip6 saddr } counter;
+tcp dport { 143, 993 }  ct state new meter dovecot4 { ip  saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole4 { ip  saddr } counter;
+tcp dport { 143, 993 }  ct state new meter dovecot6 { ip6 saddr timeout 1m limit rate over 4/minute burst 10 packets } add @blackhole6 { ip6 saddr } counter;
--- a/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
+++ b/config/nftables/nft/inet/redxenfirewall/filter/input/stateful/postfix
@ -1,6 +1,2 @@
-tcp dport 25  ct state new limit rate over 4/minute burst 20 packets add @blackhole4 { ip  saddr } counter;
-tcp dport 25  ct state new limit rate over 4/minute burst 20 packets add @blackhole6 { ip6 saddr } counter;
-tcp dport 465 ct state new limit rate over 4/minute burst 20 packets add @blackhole4 { ip  saddr } counter;
-tcp dport 465 ct state new limit rate over 4/minute burst 20 packets add @blackhole6 { ip6 saddr } counter;
-tcp dport 587 ct state new limit rate over 4/minute burst 20 packets add @blackhole4 { ip  saddr } counter;
-tcp dport 587 ct state new limit rate over 4/minute burst 20 packets add @blackhole6 { ip6 saddr } counter;
+tcp dport { 25, 465, 587 }  ct state new meter postfix4 { ip  saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole4 { ip  saddr } counter;
+tcp dport { 25, 465, 587 }  ct state new meter postfix6 { ip6 saddr timeout 1m limit rate over 4/minute burst 20 packets } add @blackhole6 { ip6 saddr } counter;