Fix icmp echo rate limiting

author Tom Hughes <tom@compton.nu>

Tue, 7 Mar 2023 20:27:37 +0000 (20:27 +0000)

committer Tom Hughes <tom@compton.nu>

Tue, 7 Mar 2023 20:27:37 +0000 (20:27 +0000)
author Tom Hughes <tom@compton.nu>
Tue, 7 Mar 2023 20:27:37 +0000 (20:27 +0000)
committer Tom Hughes <tom@compton.nu>
Tue, 7 Mar 2023 20:27:37 +0000 (20:27 +0000)
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb

index cc3cd8f7fe69465d0e208643793f00cb1d0f9384..f1773f384826a905e83dbf91f17b001d7f725d70 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -86,9 +86,6 @@ table inet chef-filter {
      ip saddr @ip-blocklist jump log-and-drop
      ip6 saddr @ip6-blocklist jump log-and-drop
  
-    ct state { established, related } accept
-
-    icmp type { destination-unreachable } accept
      icmp type { echo-request } update @ratelimit-icmp-echo-ip { ip saddr limit rate 1/second } accept
      icmp type { echo-request } drop
  
@@ -96,6 +93,8 @@ table inet chef-filter {
      icmpv6 type { echo-request } update @ratelimit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept
      icmpv6 type { echo-request } drop
  
+    ct state { established, related } accept
+
      meta l4proto { icmp, icmpv6 } jump log-and-drop
  
      tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg jump log-and-drop
author	Tom Hughes <tom@compton.nu>
	Tue, 7 Mar 2023 20:27:37 +0000 (20:27 +0000)
committer	Tom Hughes <tom@compton.nu>
	Tue, 7 Mar 2023 20:27:37 +0000 (20:27 +0000)