Optimize hashlimits, add back http/https hashlimit and change openrc service to use iptables_name

config/iptables/APKBUILD

@@ -3,7 +3,7 @@
 
 . ../APKBUILD-config.template
 
-pkgver=2021.06.04.06
+pkgver=2021.06.04.10
 pkgrel=0
 source="
 	filter
@@ -36,6 +36,8 @@ source="
 
 	mumble/70-mumble-any-filter-port
 
+	haproxy/60-haproxy-v4-filter-conntrack
+	haproxy/60-haproxy-v6-filter-conntrack
 	haproxy/70-haproxy-any-filter-port
 
 	unbound/70-unbound-any-filter-port
@@ -111,17 +113,19 @@ ff3bd322ced88f5dccc8679149bc2eab401835d4e7e389ab210c1eb723815db393135f64fc787a33
 008b4085ad6564ac7627389644891b707f6fa7b7c44b8c0526eb6c9093f7ef7ed891350b9497968052cc404c56af938a133a022ebbc1a0ccd292137a2284ac7d  90-base-any-filter-established
 211aa2d5943b66f0d20afb9e006a610c6e0ac551030c5656bbfa6680aa1f1ccfba9f45cf2a64d679ff863843923143dfc118af5b336f175d0e696dbe3545a0d5  50-ipset-v4-filter
 f7e0a3814cefcaf975d7d2433523c2297d8bd8dc5915fdb342d56ee89c5491ca334d099d43f853ab899c82420379a2f1ff7f5d7da62344be481ddfa5d8dd5c0d  50-ipset-v6-filter
-5f2c5627dddb8ca46f3aa2404d63cfb1f62c776176c558448f9994b833155b9dc4ba23468e22ef78e75ba5e581a7ecde14421eff7e44b4e5a80da5ec6ac5f3bd  60-dovecot-v4-filter-conntrack
-2aa5764ab47c26403d18a0b24013fbdfc5dcc8da298f35a6f186879d5c688a3657c85e41edfeb1cca184e31b71639982f5a73fdabde2cf9020fdc3274511c7b6  60-dovecot-v6-filter-conntrack
+5e76bd9c8fd93a2778a13417dd5bb4c5a9bb1195a45f3059e962e89c5cbc162a8c5930ed6238606d616ec1ac3b1b08353f1c0d77b54fdd8b16e7f759992e3dfd  60-dovecot-v4-filter-conntrack
+f6d0ae7d84222e374a06cc9b9847c25cc75402f361d9d55932d6d704b941fe919823fd0d939a197e18484e9b9f1b4c545b44258f9d281d675a778033d752e74d  60-dovecot-v6-filter-conntrack
 66ba931f2cf26cdad2fd8497c4545d2a1b309a7ba2a8e9f6455c7c4ddc40558100f7675e7bb31595f42688d525881698f2686496f626ce7361ee9bc9a1c6cb67  70-dovecot-any-filter-services
-6d341461542129e4cfaab7f55a43477f480208baccb8ac9b408eca99fe7119122fbdf6d6c1fa254c16e8acdebc1494280f41e5d7d64fc66cfb1a84e754578b53  60-postfix-v4-filter-conntrack
-df42a332cfa7bdad3671550e8a431076cb9597e46869b0c35ae8b7f50b34022cd7fd941c6405959ff9b51803571f24def6cbfb8d5b0f2e49668f7c94b0b12c47  60-postfix-v6-filter-conntrack
+4e3fcfec708b7bdefbc9a012371b10e9cd18ca4811caad807f46dc7affc3e24da1b667507d0392d233e36ea9e75c9da9feeca0345613983cfdfa50ac03c8b2ec  60-postfix-v4-filter-conntrack
+d9f28582a905d610289a91ffa91a9ff82e26072a143b08539504a08d818ac0ee264fc3f5e257693f1e6aef710e8f9bfea27e68a11066e2b3fe2ed81414deb28b  60-postfix-v6-filter-conntrack
 4b996d18ba997d6103e00b6f3c69f300764205cc2d1549909f832a0fd4b7ea05d59210d8b761c226cf5ba10ddc5f83141953ee3e8828e2e9044921f900357028  70-postfix-any-filter-services
 0b9a8faa498823b619cbe00b9d21cee2484c1a1061741a17b2456d7dce30d415b4fb591cc9064e63c372963a4305e7295d1c62919b01ef0bb0a7e16f40e5c228  60-wireguard-v4-nat-masquerade
 c0a8bbd3aad096ac8722aced6b24aa1e51d8fefc3b7e5a3218247c199b19ca0fa96c3e4b51f162cfbe836fcc50e20b0821c9babe1fe54b24a192da43c8596622  60-wireguard-v6-nat-masquerade
 d83970e5c451ad42429ea097cb8bdd4ada7d58dc34c58720908bac3ca3bb2e58213da04055a2e9b88e380642d3b2f40b4395df9c23a8e2dfe25956cc09947e13  70-wireguard-any-filter-port
 852d065f7d0500af4eb76bcb6505a4dce7c9cf1d215573ebb3242764f2247fb47f1665d68cb0b213055b6b1a2224e0d667b3d101caa7cda36f5f1ccac2a25850  80-wireguard-any-filter-forward
 dc5bdd07e0a26f0f1c448c38fdd6c485ef5918868001ed159cb77f8fbb270d4af139beb5e1b3baae7fb168e7c6fa57d971fa3cc1a06ed0b11b7ce0f1fc4dcd29  70-mumble-any-filter-port
+fe517b6a5a8cd875f1fda14ad2c6be21466efa831a7b6beb827e0036459f8184254dca048ce8897083d9b9173bf4a649a615ac953de3884134ebaca7f10e5b5c  60-haproxy-v4-filter-conntrack
+14e01096a0916b459957f97aa4a5a90e4d1f9214de21f67271bfbebc6edd02592074803cd0df0c8802f65328da85d2cd8b1c7e7f6707018526285bd78afbc3ca  60-haproxy-v6-filter-conntrack
 78c9007babe35b6f6696fec9f5b002184d45d373bfce8ea9ac02183f931f0f6fe3b704a6b4f6d39c56299b88baf063a7e88396eb95f202b203a2472514a876c0  70-haproxy-any-filter-port
 228b67e5e8174191c1e6d7c5a4fa57d723936bb17ec21e290080f639d92e72c4d923c6df4726be6112215669e71c540f574b52f1b8197cd128629589ef285a34  70-unbound-any-filter-port
 2e9fec439d8e752f4397c35278595208ffe63d50c028e00e85f9e2018f14c6a46c270476c302c1b175c3edc3a34f69900afcc0a857e2cd806c511950e0ca487a  70-transmission-any-filter-port

config/iptables/dovecot/60-dovecot-v4-filter-conntrack

@@ -1,2 +1,2 @@
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name imap_bans -j SET --add-set netwide4 src --exist
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name imap_tls_bans -j SET --add-set netwide4 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 2/min --hashlimit-burst 30 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 4/min --hashlimit-burst 30 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist

config/iptables/dovecot/60-dovecot-v6-filter-conntrack

@@ -1,2 +1,2 @@
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name imap_bans -j SET --add-set netwide6 src --exist
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name imap_tls_bans -j SET --add-set netwide6 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 2/min --hashlimit-burst 30 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 4/min --hashlimit-burst 30 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist

config/iptables/haproxy/60-haproxy-v4-filter-conntrack

@@ -0,0 +1,2 @@
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 10/sec --hashlimit-burst 100 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 20/sec --hashlimit-burst 100 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist

config/iptables/haproxy/60-haproxy-v6-filter-conntrack

@@ -0,0 +1,2 @@
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 10/sec --hashlimit-burst 100 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 20/sec --hashlimit-burst 100 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist

config/iptables/postfix/60-postfix-v4-filter-conntrack

@@ -1,3 +1,3 @@
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name smtp_bans -j SET --add-set netwide4 src --exist
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name smtp_tls_bans -j SET --add-set netwide4 src --exist
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name smtp_starttls_bans -j SET --add-set netwide4 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 2/min --hashlimit-burst 30 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 4/min --hashlimit-burst 30 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 2/min --hashlimit-burst 30 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist

config/iptables/postfix/60-postfix-v6-filter-conntrack

@@ -1,3 +1,3 @@
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name smtp_bans -j SET --add-set netwide6 src --exist
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name smtp_tls_bans -j SET --add-set netwide6 src --exist
--A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -m hashlimit --hashlimit-above 2/min --hashlimit-burst 20 --hashlimit-name smtp_starttls_bans -j SET --add-set netwide6 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 2/min --hashlimit-burst 30 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 4/min --hashlimit-burst 30 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-above 2/min --hashlimit-burst 30 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist

openrc/iptables/APKBUILD

@@ -4,7 +4,7 @@ _rx_openrc_grpname=firewall
 
 . ../APKBUILD-openrc.template
 
-pkgver=2021.06.04.05
+pkgver=2021.06.04.06
 pkgrel=0
 source="
 	runfile
@@ -24,7 +24,7 @@ package() {
 }
 
 sha512sums="
-fd4848b5a5a0e4af458bd3c4f5b0c48a4a439f6af5f532239f44942daabbe9dcb947052761f626c64d49ef7a935012348665ae890afd8971549a3e7234945244  runfile
+8329ea7e6329b91bda99960b21d1ddb91a7c2fead9e0a8979612e3284f4d86068221fa1d2e9ec2d36567fca40ae54bb5b083d1a261e62281284be756a9f1c5a2  runfile
 d3f45b3412d8aaf00a51ab0de496d2fcac4c9bcc94c67db6b422d70ab66d25ad1fa83cab61b578fe27f6a4c9edaf69a6105bf4362fbabb7b4945eadb078aef42  conffile-4
 450cf3878c271b871f82fe49d40e50f8dd4d14ffe479ffd345d8b089cdeb13dda75f2a0c97bccc12b2a2c63190060dfde68397e5dedee6ab6b9b411714de952c  conffile-6
 "

openrc/iptables/runfile

@@ -65,7 +65,7 @@ checkconfig() {
 start() {
 	checkconfig || return 1
 	restore_file="$(mktemp)"
-	einfo "Merging iptables rules into ${restore_file}"
+	einfo "Merging ${iptables_name} rules into ${restore_file}"
 	for i in "filter" "mangle" "raw" "nat" "security"; do
 		[ -f "${iptables_dir}/$i" ] && cat "${iptables_dir}/$i" "${iptables_dir}/$i-rules"/* "${iptables_dir}/commit" >> "${restore_file}"
 	done