Don't expire connection limit sets

[chef.git] / cookbooks / networking / templates / default / nftables.conf.erb

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 140510c36dba624ea1024ade4d83f7b3508fe8d4..7fc46cff29896c7045b03d83699763d12b786650 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -35,11 +35,13 @@ table inet filter {
   set ratelimit-icmp-echo-ip {
     type ipv4_addr
     flags dynamic
+    timeout 120s
   }
 
   set ratelimit-icmp-echo-ip6 {
     type ipv6_addr
     flags dynamic
+    timeout 120s
   }
 
 <%- node[:networking][:firewall][:sets].each do |set| %>
@@ -50,6 +52,9 @@ table inet filter {
     type ipv6_addr
 <%- end %>
     flags dynamic
+<%- unless set.start_with?("connlimit-") %>
+    timeout 120s
+<%- end %>
   }
 
 <%- end %>
@@ -77,11 +82,11 @@ table inet filter {
     ct state { established, related } accept
 
     icmp type { destination-unreachable } accept
-    icmp type { echo-request } add @ratelimit-icmp-echo-ip { ip saddr limit rate 1/second } accept
+    icmp type { echo-request } update @ratelimit-icmp-echo-ip { ip saddr limit rate 1/second } accept
     icmp type { echo-request } drop
 
     icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept
-    icmpv6 type { echo-request } add @ratelimit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept
+    icmpv6 type { echo-request } update @ratelimit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept
     icmpv6 type { echo-request } drop
 
     meta l4proto { icmp, icmpv6 } jump log-and-drop