* limit usage
@ 2022-06-28 11:26 Ignacio Freyre
0 siblings, 0 replies; only message in thread
From: Ignacio Freyre @ 2022-06-28 11:26 UTC (permalink / raw)
To: netfilter
Hi guys, i'm hoping you clarify nftables usage of the kernels conntrack.
I've been having some ddos attacks on my dns servers so I used the notrack flag to avoid filling the conntrack table like so:
> add table ip raw
> add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
> add rule ip raw PREROUTING iif eno1 ip protocol {tcp, udp} th dport 53 counter notrack
But then i though of also rate limiting by ipv4 source address, i was wandering if you could clarify in the case of the usage of the "limit" functionality if nftables is using the conntrack table or its own memory for the following config for the purpose of tracking the amount of packets that already arrived on the interface by source IP.
> add set my_filter_table dns_meter { type ipv4_addr . inet_service\; flags timeout, dynamic \;}
> add rule my_filter_table my_input_chain tcp dport 53 ct state new add u/dns_meter { ip saddr . tcp dport timeout 60s limit rate 20/second } accept
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-28 11:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-28 11:26 limit usage Ignacio Freyre
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.