dan/liminix
1
0
Fork 5
Code

rate limit for v4 icmp

Browse Source
This commit is contained in:
Daniel Barlow 2025-03-27 20:21:48 +00:00
parent 89065be6cd
commit dd44fbaec1
1 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
modules/firewall/service.nix
View File

@ -41,7 +41,7 @@ let
''; '';
}; };
rateHook = rateHook6 =
let rules = let rules =
map map
(x: '' (x: ''
@ -63,10 +63,35 @@ let
inherit rules; inherit rules;
}; };
rateHook4 =
let rules =
map
(x: ''
{{;
local s = "${x}";
local n = output(s, "ifname");
local bw = output(s, "bandwidth");
if n and bw then
return "icmp iifname ".. n .. " limit rate over " .. (math.floor (tonumber(bw) / 8 / 20)) .. " bytes/second drop"
else
return "# " .. (n or "not n") .. " " .. (bw or "not bw")
end
}}
'')
(concatLists (builtins.attrValues zones));
in {
type = "filter"; family = "ip";
hook = "input"; priority = "-1"; policy = "accept";
inherit rules;
};
sets = (mapAttrs' (n: _: mkSet "ip" n) zones) // sets = (mapAttrs' (n: _: mkSet "ip" n) zones) //
(mapAttrs' (n: _: mkSet "ip6" n) zones); (mapAttrs' (n: _: mkSet "ip6" n) zones);
allRules = allRules =
{ icmp6-ratehook = rateHook; } // {
icmp6-ratehook = rateHook6;
icmp4-ratehook = rateHook4;
} //
(lib.recursiveUpdate (lib.recursiveUpdate
extraRules extraRules
(lib.recursiveUpdate sets rules)); (lib.recursiveUpdate sets rules));