From a831a0ea78e0711a697f2fc18c25aef3e5a63c79 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 5 Mar 2023 17:28:14 +0000 Subject: [PATCH 1/1] Enable rate limits --- .../networking/resources/firewall_rule.rb | 18 +++++++++--------- .../templates/default/nftables.conf.erb | 8 ++++---- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 665c0cb84..218a6b5f4 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -141,15 +141,15 @@ action_class do rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }" end - # if new_resource.rate_limit =~ %r{^s:(\d+)/sec:(\d+)$} - # set = "#{new_resource.rule}-#{ip}" - # rate = Regexp.last_match(1) - # burst = Regexp.last_match(2) - # - # node.default[:networking][:firewall][:sets] << set - # - # rule << "add @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }" - # end + if new_resource.rate_limit =~ %r{^s:(\d+)/sec:(\d+)$} + set = "ratelimit-#{new_resource.rule}-#{ip}" + rate = Regexp.last_match(1) + burst = Regexp.last_match(2) + + node.default[:networking][:firewall][:sets] << set + + rule << "add @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }" + end rule << case action when :accept then "accept" diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb index 2545c97c8..140510c36 100644 --- a/cookbooks/networking/templates/default/nftables.conf.erb +++ b/cookbooks/networking/templates/default/nftables.conf.erb @@ -32,12 +32,12 @@ table inet filter { flags dynamic } - set limit-icmp-echo-ip { + set ratelimit-icmp-echo-ip { type ipv4_addr flags dynamic } - set limit-icmp-echo-ip6 { + set ratelimit-icmp-echo-ip6 { type ipv6_addr flags dynamic } @@ -77,11 +77,11 @@ table inet filter { ct state { established, related } accept icmp type { destination-unreachable } accept - icmp type { echo-request } add @limit-icmp-echo-ip { ip saddr limit rate 1/second } accept + icmp type { echo-request } add @ratelimit-icmp-echo-ip { ip saddr limit rate 1/second } accept icmp type { echo-request } drop icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept - icmpv6 type { echo-request } add @limit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept + icmpv6 type { echo-request } add @ratelimit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept icmpv6 type { echo-request } drop meta l4proto { icmp, icmpv6 } jump log-and-drop -- 2.39.5