RedXen
/
aports
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use net hashmaps and add global conntrack

This commit is contained in:
Alex D. 2021-06-10 18:50:22 +00:00
parent fe18a6d207
commit fda31ec2b5
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
6 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/ipset/APKBUILD
View File

@ -3,7 +3,7 @@
. ../APKBUILD-config.template
pkgver=2021.06.01.03
pkgver=2021.06.09.01
pkgrel=0
source="
netwide4
@ -11,6 +11,6 @@ source="
"
sha512sums="
0c70b7b82c481ebcd755d4cf9a3c8d3490d1ea022158e32d1a4cf26152e9482858aeb09d7b68600e3d60312eba6d938a82bfa8012f2a19216dec69f05db4a250 netwide4
dccd10b2fe5960bcf6466b27fabfbc5c80df40d33e744e84bd013c4b12e2fbb9fe4555568debb3cbbe851ff88f7b733ff19706073f2f29295d336a36efca4d07 netwide6
d64ec79084e9cd635a5ad7f1ffeedb1e3a4eef2606c209babb0bf14a2712b23476e07cd270656b4bef5df5ef985a73750eea54f6fcf47d01da46078a8156eed9 netwide4
458814df915e5ce04db77b25638560e634f27d70172fce12ac4bde5ceeb326aced11e8659d4257bf91543427d11059ff8f5c9ceabe74b45a527cf288985ba912 netwide6
"

2
config/ipset/netwide4
View File

@ -1 +1 @@
hash:ip family inet hashsize 4096 maxelem 65536 timeout 3600
hash:net family inet hashsize 4096 maxelem 65536 timeout 3600 counters

2
config/ipset/netwide6
View File

@ -1 +1 @@
hash:ip family inet6 hashsize 4096 maxelem 65536 timeout 3600
hash:net family inet6 hashsize 4096 maxelem 65536 timeout 3600 counters

6
config/iptables/APKBUILD
View File

@ -3,7 +3,7 @@
. ../APKBUILD-config.template
pkgver=2021.06.06.01
pkgver=2021.06.09.01
pkgrel=0
source="
filter
@ -111,8 +111,8 @@ f5a2eab77980fdff6ac81866a9d666da2e50962a3e0eb6d7d327a01aa5448905b6134108c77bcd8b
9c96080d7b378dd43f858f54b8b2f772ad23cd777aa22a8d22eb64f29e696419315a9528c422de9fbcfc9d038d37da4a1ab138e156160d2e212e43e3cc851273 25-base-v4-filter-icmp
ff3bd322ced88f5dccc8679149bc2eab401835d4e7e389ab210c1eb723815db393135f64fc787a33d4441f87e3c0a45e33ba4abdbae778552116043dba1816be 25-base-v6-filter-icmp
008b4085ad6564ac7627389644891b707f6fa7b7c44b8c0526eb6c9093f7ef7ed891350b9497968052cc404c56af938a133a022ebbc1a0ccd292137a2284ac7d 90-base-any-filter-established
211aa2d5943b66f0d20afb9e006a610c6e0ac551030c5656bbfa6680aa1f1ccfba9f45cf2a64d679ff863843923143dfc118af5b336f175d0e696dbe3545a0d5 50-ipset-v4-filter
f7e0a3814cefcaf975d7d2433523c2297d8bd8dc5915fdb342d56ee89c5491ca334d099d43f853ab899c82420379a2f1ff7f5d7da62344be481ddfa5d8dd5c0d 50-ipset-v6-filter
a690ab21d943e020219a4941fffe9388fa523e36d72ac9aa1d7cc0974828bafea68de3b55f6faf6f60693f2b5af60d50af3574fcf21a0379e6257f3a980f2a7e 50-ipset-v4-filter
9428b8aef2041a27d169ec5c901f0a3fd05b4d1a944d607691496f74c8cb4f52f87d1ff8b382c83ae69a2079f9b9e8f7bff75dbfef8d758966ddcbac8e6c1852 50-ipset-v6-filter
5e76bd9c8fd93a2778a13417dd5bb4c5a9bb1195a45f3059e962e89c5cbc162a8c5930ed6238606d616ec1ac3b1b08353f1c0d77b54fdd8b16e7f759992e3dfd 60-dovecot-v4-filter-conntrack
f6d0ae7d84222e374a06cc9b9847c25cc75402f361d9d55932d6d704b941fe919823fd0d939a197e18484e9b9f1b4c545b44258f9d281d675a778033d752e74d 60-dovecot-v6-filter-conntrack
66ba931f2cf26cdad2fd8497c4545d2a1b309a7ba2a8e9f6455c7c4ddc40558100f7675e7bb31595f42688d525881698f2686496f626ce7361ee9bc9a1c6cb67 70-dovecot-any-filter-services

1
config/iptables/ipset/50-ipset-v4-filter
View File

@ -1 +1,2 @@
-A INPUT -m set --match-set netwide4 src -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m hashlimit --hashlimit-mode srcip --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist

1
config/iptables/ipset/50-ipset-v6-filter
View File

@ -1 +1,2 @@
-A INPUT -m set --match-set netwide6 src -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m hashlimit --hashlimit-mode srcip --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist