diff --git a/modules/firewall/service.nix b/modules/firewall/service.nix index 59066a9..25a76a4 100644 --- a/modules/firewall/service.nix +++ b/modules/firewall/service.nix @@ -44,10 +44,37 @@ let end }} ''; - }; + }; + + rateHook = + let rules = + map + (x: '' + {{; + local s = "${x}"; + local n = output(s, "ifname"); + local bw = output(s, "bandwidth"); + if n and bw then + return "meta l4proto icmpv6 iifname ".. n .. " limit rate over " .. (math.floor (tonumber(bw) / 20)) .. " bytes/second drop" + else + return "# " .. (n or "not n") .. " " .. (bw or "not bw") + end + }} + '') + (concatLists (builtins.attrValues zones)); + in { + type = "filter"; family = "ip6"; + hook = "input"; priority = "-1"; policy = "accept"; + inherit rules; + }; + sets = (mapAttrs' (n: _: mkSet "ip" n) zones) // (mapAttrs' (n: _: mkSet "ip6" n) zones); - allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate sets rules); + allRules = + { icmp6-ratehook = rateHook; } // + (lib.recursiveUpdate + extraRules + (lib.recursiveUpdate sets rules)); script = firewallgen "firewall1.nft" allRules; watchArg = z: intfs: map (i: "${z}:${i}") intfs; name = "firewall"; diff --git a/modules/ppp/common.nix b/modules/ppp/common.nix index 8220ab0..63cf78b 100644 --- a/modules/ppp/common.nix +++ b/modules/ppp/common.nix @@ -115,6 +115,7 @@ let ${command} ''; notification-fd = 10; +# properties.bandwidth = 3 * 1000 * 1000; timeout-up = if lcpEcho.failure != null then (10 + lcpEcho.failure * lcpEcho.interval) * 1000 else 60 * 1000; inherit dependencies; diff --git a/pkgs/output-template/output-template.fnl b/pkgs/output-template/output-template.fnl index 3ec6157..a2e1339 100644 --- a/pkgs/output-template/output-template.fnl +++ b/pkgs/output-template/output-template.fnl @@ -25,7 +25,10 @@ myenv { : string : table + : math : ipairs + : tonumber + :output (fn [service-path path default] (let [s (assert (svc.open service-path))]