Connlimits: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(Initial connlimits page.)
 
(→‎Using connlimits in dynamic sets and maps: remove this example, the header is a hyperlink)
 
(3 intermediate revisions by 2 users not shown)
Line 13: Line 13:
'''Note''': connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10; using connlimits can crash the host when using earlier 4.19.x kernels.
'''Note''': connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10; using connlimits can crash the host when using earlier 4.19.x kernels.


= Using connlimit in rules =
= Using connlimits in rules =


<source>
<source>
Line 27: Line 27:
The above ruleset accepts packets to port tcp/22 (sshd), as long as conntrack is currently tracking no more than 10 such sshd connections. If a new SYN to tcp/22 arrives while conntrack already has 10 such connections, it will be dropped.
The above ruleset accepts packets to port tcp/22 (sshd), as long as conntrack is currently tracking no more than 10 such sshd connections. If a new SYN to tcp/22 arrives while conntrack already has 10 such connections, it will be dropped.


= [[Meters#Doing_connlimit_with_nft|Using connlimit in dynamic sets and maps]] =
= [[Meters#Doing_connlimit_with_nft|Using connlimits in dynamic sets and maps]] =

Latest revision as of 21:35, 5 July 2021

A connlimit in nftables is written ct count {over} [count]. Unlike other stateful object types, all connlimits are anonymous: each connlimit attaches to and applies within the context of a single rule or single element of a dynamic set or map.

A connlimit ct count {over} [count]:

  1. counts the number of current conntrack connections matching its context;
  2. matches either:
    1. only when conntrack is currently tracking fewer than count matching connections, or
    2. if over is specified, only when conntrack is currently tracking more than count matching connections.

Note: connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10; using connlimits can crash the host when using earlier 4.19.x kernels.

Using connlimits in rules

table inet connlimit_demo {
   chain IN { 
      type filter hook input priority filter; policy drop;

      tcp dport 22 ct count 10 accept
   }
}

The above ruleset accepts packets to port tcp/22 (sshd), as long as conntrack is currently tracking no more than 10 such sshd connections. If a new SYN to tcp/22 arrives while conntrack already has 10 such connections, it will be dropped.

Using connlimits in dynamic sets and maps