diff options
| author | Devin Bayer <dev@doubly.so> | 2020-10-01 11:30:27 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-10-01 14:25:24 +0200 |
| commit | 129f9d153279cd0fdb723fcff7d61879baa31f46 (patch) | |
| tree | c162b9a00e844731724e89813c509c263b240ea8 /doc/statements.txt | |
| parent | 702ac2b72c0e8fb570ef30dd942472bf5d4146b8 (diff) | |
nft: migrate man page examples with `meter` directive to sets
this updates the two examples in the man page that use the obsolete `meter` to
use sets. I also fixed a bit of formatting for the conntrack expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/statements.txt')
| -rw-r--r-- | doc/statements.txt | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/doc/statements.txt b/doc/statements.txt index 9155f286..beebba16 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -704,8 +704,17 @@ blacklists. .Example for simple blacklist ----------------------------- -# declare a set, bound to table "filter", in family "ip". Timeout and size are mandatory because we will add elements from packet path. -nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; size 65536; }" +# declare a set, bound to table "filter", in family "ip". +# Timeout and size are mandatory because we will add elements from packet path. +# Entries will timeout after one minute, after which they might be +# re-added if limit condition persists. +nft add set ip filter blackhole \ + "{ type ipv4_addr; flags dynamic; timeout 1m; size 65536; }" + +# declare a set to store the limit per saddr. +# This must be separate from blackhole since the timeout is different +nft add set ip filter flood \ + "{ type ipv4_addr; flags dynamic; timeout 10s; size 128000; }" # whitelist internal interface. nft add rule ip filter input meta iifname "internal" accept @@ -713,17 +722,17 @@ nft add rule ip filter input meta iifname "internal" accept # drop packets coming from blacklisted ip addresses. nft add rule ip filter input ip saddr @blackhole counter drop -# add source ip addresses to the blacklist if more than 10 tcp connection requests occurred per second and ip address. -# entries will timeout after one minute, after which they might be re-added if limit condition persists. -nft add rule ip filter input tcp flags syn tcp dport ssh meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop +# add source ip addresses to the blacklist if more than 10 tcp connection +# requests occurred per second and ip address. +nft add rule ip filter input tcp flags syn tcp dport ssh \ + add @flood { ip saddr limit rate over 10/second } \ + add @blackhole { ip saddr } drop -# inspect state of the rate limit meter: -nft list meter ip filter flood - -# inspect content of blackhole: +# inspect state of the sets. +nft list set ip filter flood nft list set ip filter blackhole -# manually add two addresses to the set: +# manually add two addresses to the blackhole. nft add element filter blackhole { 10.2.3.4, 10.23.1.42 } ----------------------------------------------- |