]> git.openstreetmap.org Git - chef.git/commitdiff
projects / chef.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c36f915)
Don't log rate limited echo request packets
authorTom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 15:16:45 +0000 (15:16 +0000)
committerTom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 15:20:18 +0000 (15:20 +0000)
cookbooks/networking/templates/default/nftables.conf.erb patch | blob | history

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 7f0b1e17e6bb68135d73ce48bc4d80c9a068de20..cb9891624da3f35e36f13790b7aa365cce3fa589 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -61,10 +61,12 @@ table inet filter {
     ct state { established, related } accept
 
     icmp type { destination-unreachable } accept
     ct state { established, related } accept
 
     icmp type { destination-unreachable } accept
-    icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept
-
     icmp type { echo-request } limit rate 1/second accept
     icmp type { echo-request } limit rate 1/second accept
+    icmp type { echo-request } drop
+
+    icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept
     icmpv6 type { echo-request } limit rate 1/second accept
     icmpv6 type { echo-request } limit rate 1/second accept
+    icmpv6 type { echo-request } drop
 
     meta l4proto { icmp, icmpv6 } jump log-and-drop
 
 
     meta l4proto { icmp, icmpv6 } jump log-and-drop
 
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.