diff --git a/config/ipset/APKBUILD b/config/ipset/APKBUILD index b28f0de..da7a307 100644 --- a/config/ipset/APKBUILD +++ b/config/ipset/APKBUILD @@ -3,7 +3,7 @@ . ../APKBUILD-config.template -pkgver=2021.06.01.03 +pkgver=2021.06.09.01 pkgrel=0 source=" netwide4 @@ -11,6 +11,6 @@ source=" " sha512sums=" -0c70b7b82c481ebcd755d4cf9a3c8d3490d1ea022158e32d1a4cf26152e9482858aeb09d7b68600e3d60312eba6d938a82bfa8012f2a19216dec69f05db4a250 netwide4 -dccd10b2fe5960bcf6466b27fabfbc5c80df40d33e744e84bd013c4b12e2fbb9fe4555568debb3cbbe851ff88f7b733ff19706073f2f29295d336a36efca4d07 netwide6 +d64ec79084e9cd635a5ad7f1ffeedb1e3a4eef2606c209babb0bf14a2712b23476e07cd270656b4bef5df5ef985a73750eea54f6fcf47d01da46078a8156eed9 netwide4 +458814df915e5ce04db77b25638560e634f27d70172fce12ac4bde5ceeb326aced11e8659d4257bf91543427d11059ff8f5c9ceabe74b45a527cf288985ba912 netwide6 " diff --git a/config/ipset/netwide4 b/config/ipset/netwide4 index da73eb2..5a9c9cb 100644 --- a/config/ipset/netwide4 +++ b/config/ipset/netwide4 @@ -1 +1 @@ -hash:ip family inet hashsize 4096 maxelem 65536 timeout 3600 +hash:net family inet hashsize 4096 maxelem 65536 timeout 3600 counters diff --git a/config/ipset/netwide6 b/config/ipset/netwide6 index 0bc8119..eba0932 100644 --- a/config/ipset/netwide6 +++ b/config/ipset/netwide6 @@ -1 +1 @@ -hash:ip family inet6 hashsize 4096 maxelem 65536 timeout 3600 +hash:net family inet6 hashsize 4096 maxelem 65536 timeout 3600 counters diff --git a/config/iptables/APKBUILD b/config/iptables/APKBUILD index 0c9f0d8..9be48bf 100644 --- a/config/iptables/APKBUILD +++ b/config/iptables/APKBUILD @@ -3,7 +3,7 @@ . ../APKBUILD-config.template -pkgver=2021.06.06.01 +pkgver=2021.06.09.01 pkgrel=0 source=" filter @@ -111,8 +111,8 @@ f5a2eab77980fdff6ac81866a9d666da2e50962a3e0eb6d7d327a01aa5448905b6134108c77bcd8b 9c96080d7b378dd43f858f54b8b2f772ad23cd777aa22a8d22eb64f29e696419315a9528c422de9fbcfc9d038d37da4a1ab138e156160d2e212e43e3cc851273 25-base-v4-filter-icmp ff3bd322ced88f5dccc8679149bc2eab401835d4e7e389ab210c1eb723815db393135f64fc787a33d4441f87e3c0a45e33ba4abdbae778552116043dba1816be 25-base-v6-filter-icmp 008b4085ad6564ac7627389644891b707f6fa7b7c44b8c0526eb6c9093f7ef7ed891350b9497968052cc404c56af938a133a022ebbc1a0ccd292137a2284ac7d 90-base-any-filter-established -211aa2d5943b66f0d20afb9e006a610c6e0ac551030c5656bbfa6680aa1f1ccfba9f45cf2a64d679ff863843923143dfc118af5b336f175d0e696dbe3545a0d5 50-ipset-v4-filter -f7e0a3814cefcaf975d7d2433523c2297d8bd8dc5915fdb342d56ee89c5491ca334d099d43f853ab899c82420379a2f1ff7f5d7da62344be481ddfa5d8dd5c0d 50-ipset-v6-filter +a690ab21d943e020219a4941fffe9388fa523e36d72ac9aa1d7cc0974828bafea68de3b55f6faf6f60693f2b5af60d50af3574fcf21a0379e6257f3a980f2a7e 50-ipset-v4-filter +9428b8aef2041a27d169ec5c901f0a3fd05b4d1a944d607691496f74c8cb4f52f87d1ff8b382c83ae69a2079f9b9e8f7bff75dbfef8d758966ddcbac8e6c1852 50-ipset-v6-filter 5e76bd9c8fd93a2778a13417dd5bb4c5a9bb1195a45f3059e962e89c5cbc162a8c5930ed6238606d616ec1ac3b1b08353f1c0d77b54fdd8b16e7f759992e3dfd 60-dovecot-v4-filter-conntrack f6d0ae7d84222e374a06cc9b9847c25cc75402f361d9d55932d6d704b941fe919823fd0d939a197e18484e9b9f1b4c545b44258f9d281d675a778033d752e74d 60-dovecot-v6-filter-conntrack 66ba931f2cf26cdad2fd8497c4545d2a1b309a7ba2a8e9f6455c7c4ddc40558100f7675e7bb31595f42688d525881698f2686496f626ce7361ee9bc9a1c6cb67 70-dovecot-any-filter-services diff --git a/config/iptables/ipset/50-ipset-v4-filter b/config/iptables/ipset/50-ipset-v4-filter index 450b20e..d48f08b 100644 --- a/config/iptables/ipset/50-ipset-v4-filter +++ b/config/iptables/ipset/50-ipset-v4-filter @@ -1 +1,2 @@ -A INPUT -m set --match-set netwide4 src -j DROP +-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m hashlimit --hashlimit-mode srcip --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-name globalhash4 -j SET --add-set netwide4 src --exist diff --git a/config/iptables/ipset/50-ipset-v6-filter b/config/iptables/ipset/50-ipset-v6-filter index 13f516b..4111b3c 100644 --- a/config/iptables/ipset/50-ipset-v6-filter +++ b/config/iptables/ipset/50-ipset-v6-filter @@ -1 +1,2 @@ -A INPUT -m set --match-set netwide6 src -j DROP +-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m hashlimit --hashlimit-mode srcip --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-name globalhash6 -j SET --add-set netwide6 src --exist