Limit echo on a per source basis

author Tom Hughes <tom@compton.nu>

Sat, 4 Mar 2023 15:32:38 +0000 (15:32 +0000)

committer Tom Hughes <tom@compton.nu>

Sat, 4 Mar 2023 15:32:38 +0000 (15:32 +0000)
author Tom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 15:32:38 +0000 (15:32 +0000)
committer Tom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 15:32:38 +0000 (15:32 +0000)
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb

index 63bcb908bb0746f9962f1a319cf60880e5ede675..13e070569bb0681ccabb8d133511259b79cdb30f 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -30,6 +30,16 @@ table inet filter {
      flags dynamic
    }
  
+  set limit-icmp-echo-ip {
+    type ipv4_addr
+    flags dynamic
+  }
+
+  set limit-icmp-echo-ip6 {
+    type ipv6_addr
+    flags dynamic
+  }
+
  <%- node[:networking][:firewall][:sets].each do |set| %>
    set <%= set %> {
  <%- if set.end_with?("-ip") %>
@@ -61,11 +71,11 @@ table inet filter {
      ct state { established, related } accept
  
      icmp type { destination-unreachable } accept
-    icmp type { echo-request } limit rate 1/second accept
+    icmp type { echo-request } add @limit-icmp-echo-ip { ip saddr limit rate 1/second } accept
      icmp type { echo-request } drop
  
      icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept
-    icmpv6 type { echo-request } limit rate 1/second accept
+    icmpv6 type { echo-request } add @limit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept
      icmpv6 type { echo-request } drop
  
      meta l4proto { icmp, icmpv6 } jump log-and-drop
author	Tom Hughes <tom@compton.nu>
	Sat, 4 Mar 2023 15:32:38 +0000 (15:32 +0000)
committer	Tom Hughes <tom@compton.nu>
	Sat, 4 Mar 2023 15:32:38 +0000 (15:32 +0000)