Connlimits: Difference between revisions
Jump to navigation
Jump to search
(Initial connlimits page.) |
(→Using connlimits in dynamic sets and maps: remove this example, the header is a hyperlink) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 13: | Line 13: | ||
'''Note''': connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10; using connlimits can crash the host when using earlier 4.19.x kernels. | '''Note''': connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10; using connlimits can crash the host when using earlier 4.19.x kernels. | ||
= Using | = Using connlimits in rules = | ||
<source> | <source> | ||
Line 27: | Line 27: | ||
The above ruleset accepts packets to port tcp/22 (sshd), as long as conntrack is currently tracking no more than 10 such sshd connections. If a new SYN to tcp/22 arrives while conntrack already has 10 such connections, it will be dropped. | The above ruleset accepts packets to port tcp/22 (sshd), as long as conntrack is currently tracking no more than 10 such sshd connections. If a new SYN to tcp/22 arrives while conntrack already has 10 such connections, it will be dropped. | ||
= [[Meters#Doing_connlimit_with_nft|Using | = [[Meters#Doing_connlimit_with_nft|Using connlimits in dynamic sets and maps]] = |
Latest revision as of 21:35, 5 July 2021
A connlimit in nftables is written ct count {over} [count]. Unlike other stateful object types, all connlimits are anonymous: each connlimit attaches to and applies within the context of a single rule or single element of a dynamic set or map.
A connlimit ct count {over} [count]:
- counts the number of current conntrack connections matching its context;
- matches either:
- only when conntrack is currently tracking fewer than count matching connections, or
- if over is specified, only when conntrack is currently tracking more than count matching connections.
Note: connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10; using connlimits can crash the host when using earlier 4.19.x kernels.
Using connlimits in rules
table inet connlimit_demo {
chain IN {
type filter hook input priority filter; policy drop;
tcp dport 22 ct count 10 accept
}
}
The above ruleset accepts packets to port tcp/22 (sshd), as long as conntrack is currently tracking no more than 10 such sshd connections. If a new SYN to tcp/22 arrives while conntrack already has 10 such connections, it will be dropped.