Connlimits

From nftables wiki
Revision as of 21:29, 5 July 2021 by Pablo (talk | contribs) (→‎Using connlimits in dynamic sets and maps: add example and caveats)
Jump to navigation Jump to search

A connlimit in nftables is written ct count {over} [count]. Unlike other stateful object types, all connlimits are anonymous: each connlimit attaches to and applies within the context of a single rule or single element of a dynamic set or map.

A connlimit ct count {over} [count]:

  1. counts the number of current conntrack connections matching its context;
  2. matches either:
    1. only when conntrack is currently tracking fewer than count matching connections, or
    2. if over is specified, only when conntrack is currently tracking more than count matching connections.

Note: connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10; using connlimits can crash the host when using earlier 4.19.x kernels.

Using connlimits in rules

table inet connlimit_demo {
   chain IN { 
      type filter hook input priority filter; policy drop;

      tcp dport 22 ct count 10 accept
   }
}

The above ruleset accepts packets to port tcp/22 (sshd), as long as conntrack is currently tracking no more than 10 such sshd connections. If a new SYN to tcp/22 arrives while conntrack already has 10 such connections, it will be dropped.

Using connlimits in dynamic sets and maps

You can also use connlimit in dynamic sets, this provides a scalable way to define connlimits per set element.

The following example shows how to allow up to 2 simultaneous connections to your host from one IP address.

table ip filter {
        set connlimit {
                type ipv4_addr
                flags dynamic
        }

        chain input {
                type filter hook input priority filter; policy accept;
                ct state new add @connlimit { ip saddr ct count over 2 } counter packets 6 bytes 504 drop
        }
}

Caveats:

  • Do not define a set with a timeout. There is a garbage collector that removes the set element whenever ct count becomes zero to improve memory usage.
  • For the same reason, you cannot use the update set statement which allows to refresh the timeout of your set element. Therefore, the ct count statement can only be used with the add set statement.

If you define a set with a timeout or you use the update set statement, then you will hit the "Operation is not supported" error.