simplify rate limited synproxy bypass

2024-04-11 23:02:43 -04:00 · 2024-04-11 23:02:43 -04:00 · c412fec336
parent ca35fcc648
commit c412fec336
9 changed files with 9 additions and 18 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-network.conf
+++ b/nftables-network.conf
@ -47,8 +47,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        udp dport 123 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@ -47,8 +47,7 @@ table inet filter {
        udp dport 53 notrack accept

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@ -52,8 +52,7 @@ table inet filter {
        udp dport 53 notrack accept

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-social.conf
+++ b/nftables-social.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -49,8 +49,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }