firewall: show how to ratelimit icmp6 to 5% of available bandwidth
it's a little klunky as yet, requires setting properties.bandwidth on the interface service
This commit is contained in:
parent
b1bf13bb01
commit
1a6160bcab
@ -44,10 +44,37 @@ let
|
||||
end
|
||||
}}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
rateHook =
|
||||
let rules =
|
||||
map
|
||||
(x: ''
|
||||
{{;
|
||||
local s = "${x}";
|
||||
local n = output(s, "ifname");
|
||||
local bw = output(s, "bandwidth");
|
||||
if n and bw then
|
||||
return "meta l4proto icmpv6 iifname ".. n .. " limit rate over " .. (math.floor (tonumber(bw) / 20)) .. " bytes/second drop"
|
||||
else
|
||||
return "# " .. (n or "not n") .. " " .. (bw or "not bw")
|
||||
end
|
||||
}}
|
||||
'')
|
||||
(concatLists (builtins.attrValues zones));
|
||||
in {
|
||||
type = "filter"; family = "ip6";
|
||||
hook = "input"; priority = "-1"; policy = "accept";
|
||||
inherit rules;
|
||||
};
|
||||
|
||||
sets = (mapAttrs' (n: _: mkSet "ip" n) zones) //
|
||||
(mapAttrs' (n: _: mkSet "ip6" n) zones);
|
||||
allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate sets rules);
|
||||
allRules =
|
||||
{ icmp6-ratehook = rateHook; } //
|
||||
(lib.recursiveUpdate
|
||||
extraRules
|
||||
(lib.recursiveUpdate sets rules));
|
||||
script = firewallgen "firewall1.nft" allRules;
|
||||
watchArg = z: intfs: map (i: "${z}:${i}") intfs;
|
||||
name = "firewall";
|
||||
|
||||
@ -115,6 +115,7 @@ let
|
||||
${command}
|
||||
'';
|
||||
notification-fd = 10;
|
||||
# properties.bandwidth = 3 * 1000 * 1000;
|
||||
timeout-up =
|
||||
if lcpEcho.failure != null then (10 + lcpEcho.failure * lcpEcho.interval) * 1000 else 60 * 1000;
|
||||
inherit dependencies;
|
||||
|
||||
@ -25,7 +25,10 @@
|
||||
myenv {
|
||||
: string
|
||||
: table
|
||||
: math
|
||||
: ipairs
|
||||
: tonumber
|
||||
|
||||
:output
|
||||
(fn [service-path path default]
|
||||
(let [s (assert (svc.open service-path))]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user