simplify rate limited synproxy bypass

add python-pydantic package for matrix.grapheneos.org
2024-04-11 23:03:13 -04:00 · 2024-04-11 22:45:55 -04:00
9 changed files with 9 additions and 16 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-network.conf
+++ b/nftables-network.conf
@ -47,8 +47,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        udp dport 123 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@ -47,8 +47,7 @@ table inet filter {
        udp dport 53 notrack accept

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@ -52,8 +52,7 @@ table inet filter {
        udp dport 53 notrack accept

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-social.conf
+++ b/nftables-social.conf
@ -45,8 +45,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -49,8 +49,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept

        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/packages/matrix.grapheneos.org
+++ b/packages/matrix.grapheneos.org
@ -32,6 +32,7 @@ postgresql-old-upgrade
 pv
 python-pip
 python-psycopg2
+python-pydantic
 rsync
 sshpass
 strace
Author	SHA1	Message	Date
Daniel Micay	a30b95f4af	simplify rate limited synproxy bypass	2024-04-11 23:03:13 -04:00
Daniel Micay	ca35fcc648	add python-pydantic package for matrix.grapheneos.org	2024-04-11 22:45:55 -04:00