Difference between revisions of "Limits"

From nftables wiki
Jump to navigation Jump to search
(Initial stub page for named limits.)
 
(→‎Declaring and using named limits: Add optional text comment attribute.)
 
(One intermediate revision by the same user not shown)
Line 10: Line 10:
= Named limits =
= Named limits =


'''FIXME: Need at least one example here!'''
== Declaring and using named limits ==
 
<source>
table inet limit_demo {
 
  limit lim_400ppm { rate 400/minute ; comment "use to limit incoming icmp" ; }
  limit lim_1kbps  { rate over 1024 bytes/second burst 512 bytes ; comment "use to limit incoming smtp" ; }
 
  chain IN {
      type filter hook input priority filter; policy drop;


== Declaring and using named limits ==
      meta l4proto icmp limit name "lim_400ppm" accept
      tcp dport 25 limit name "lim_1kbps" accept
  }
}
</source>
 
The above ruleset defines a per-packet named limit ''lim_400ppm'' and a per-byte named limit ''lim_1kbps''. The rules in input chain ''IN'' use these named limits to:
* Accept icmp packets, of all icmp types, up to a maximum rate of 400 packets / minute.
* Accept traffic to port tcp/25 (smtp), up to a maximum rate of 1024 bytes / second. Up to 512 bytes of such traffic arriving faster than this is accepted.
* Drop all other traffic.
The optional ''comment'' attribute requires at least nftables 0.9.7 and kernel 5.10.


== Listing named limits ==
== Listing named limits ==

Latest revision as of 18:46, 1 November 2021

A limit uses a token bucket filter to match packets:

  • only until its rate is exceeded; or
  • only after its rate is exceeded, if defined as an over limit.


Anonymous limits

Named limits

Declaring and using named limits

table inet limit_demo {

   limit lim_400ppm { rate 400/minute ; comment "use to limit incoming icmp" ; }
   limit lim_1kbps  { rate over 1024 bytes/second burst 512 bytes ; comment "use to limit incoming smtp" ; }

   chain IN { 
      type filter hook input priority filter; policy drop;

      meta l4proto icmp limit name "lim_400ppm" accept
      tcp dport 25 limit name "lim_1kbps" accept
   }
}

The above ruleset defines a per-packet named limit lim_400ppm and a per-byte named limit lim_1kbps. The rules in input chain IN use these named limits to:

  • Accept icmp packets, of all icmp types, up to a maximum rate of 400 packets / minute.
  • Accept traffic to port tcp/25 (smtp), up to a maximum rate of 1024 bytes / second. Up to 512 bytes of such traffic arriving faster than this is accepted.
  • Drop all other traffic.

The optional comment attribute requires at least nftables 0.9.7 and kernel 5.10.

Listing named limits

nft list [limit | limits] (as per below) returns the limit(s) with current byte count.

  • List a particular limit:
% nft list limit [family] [table_name] [limit_name]
  • List all limits in a particular table:
% nft list limits table [family] [table_name]
  • List all limits in ruleset:
% nft list limits