firewall: show how to ratelimit icmp6 to 5% of available bandwidth
it's a little klunky as yet, requires setting properties.bandwidth on the interface service
This commit is contained in:
parent
b1bf13bb01
commit
1a6160bcab
@ -44,10 +44,37 @@ let
|
|||||||
end
|
end
|
||||||
}}
|
}}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
rateHook =
|
||||||
|
let rules =
|
||||||
|
map
|
||||||
|
(x: ''
|
||||||
|
{{;
|
||||||
|
local s = "${x}";
|
||||||
|
local n = output(s, "ifname");
|
||||||
|
local bw = output(s, "bandwidth");
|
||||||
|
if n and bw then
|
||||||
|
return "meta l4proto icmpv6 iifname ".. n .. " limit rate over " .. (math.floor (tonumber(bw) / 20)) .. " bytes/second drop"
|
||||||
|
else
|
||||||
|
return "# " .. (n or "not n") .. " " .. (bw or "not bw")
|
||||||
|
end
|
||||||
|
}}
|
||||||
|
'')
|
||||||
|
(concatLists (builtins.attrValues zones));
|
||||||
|
in {
|
||||||
|
type = "filter"; family = "ip6";
|
||||||
|
hook = "input"; priority = "-1"; policy = "accept";
|
||||||
|
inherit rules;
|
||||||
|
};
|
||||||
|
|
||||||
sets = (mapAttrs' (n: _: mkSet "ip" n) zones) //
|
sets = (mapAttrs' (n: _: mkSet "ip" n) zones) //
|
||||||
(mapAttrs' (n: _: mkSet "ip6" n) zones);
|
(mapAttrs' (n: _: mkSet "ip6" n) zones);
|
||||||
allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate sets rules);
|
allRules =
|
||||||
|
{ icmp6-ratehook = rateHook; } //
|
||||||
|
(lib.recursiveUpdate
|
||||||
|
extraRules
|
||||||
|
(lib.recursiveUpdate sets rules));
|
||||||
script = firewallgen "firewall1.nft" allRules;
|
script = firewallgen "firewall1.nft" allRules;
|
||||||
watchArg = z: intfs: map (i: "${z}:${i}") intfs;
|
watchArg = z: intfs: map (i: "${z}:${i}") intfs;
|
||||||
name = "firewall";
|
name = "firewall";
|
||||||
|
|||||||
@ -115,6 +115,7 @@ let
|
|||||||
${command}
|
${command}
|
||||||
'';
|
'';
|
||||||
notification-fd = 10;
|
notification-fd = 10;
|
||||||
|
# properties.bandwidth = 3 * 1000 * 1000;
|
||||||
timeout-up =
|
timeout-up =
|
||||||
if lcpEcho.failure != null then (10 + lcpEcho.failure * lcpEcho.interval) * 1000 else 60 * 1000;
|
if lcpEcho.failure != null then (10 + lcpEcho.failure * lcpEcho.interval) * 1000 else 60 * 1000;
|
||||||
inherit dependencies;
|
inherit dependencies;
|
||||||
|
|||||||
@ -25,7 +25,10 @@
|
|||||||
myenv {
|
myenv {
|
||||||
: string
|
: string
|
||||||
: table
|
: table
|
||||||
|
: math
|
||||||
: ipairs
|
: ipairs
|
||||||
|
: tonumber
|
||||||
|
|
||||||
:output
|
:output
|
||||||
(fn [service-path path default]
|
(fn [service-path path default]
|
||||||
(let [s (assert (svc.open service-path))]
|
(let [s (assert (svc.open service-path))]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user