nftables: fix jinja2 indent
This commit is contained in:
parent
385332e312
commit
583f8ee265
|
@ -84,32 +84,32 @@ table inet filter {
|
|||
ip6 saddr @blackhole6 counter drop
|
||||
|
||||
# Drop future attempts on opened ports if there are already 3 established connections
|
||||
{% if opened_ports.tcp is sequence and opened_ports.tcp | length > 0 -%}
|
||||
{% if opened_ports.tcp is sequence and opened_ports.tcp | length > 0 %}
|
||||
tcp dport { {{ opened_ports.tcp | join(', ') }} } ct state new \
|
||||
add @connlimit { ip saddr ct count over 3 } drop
|
||||
tcp dport { {{ opened_ports.tcp | join(', ') }} } ct state new \
|
||||
add @connlimit6 { ip6 saddr ct count over 3 } drop
|
||||
{% endif -%}
|
||||
{% if opened_ports.udp is sequence and opened_ports.udp | length > 0 -%}
|
||||
{% endif %}
|
||||
{% if opened_ports.udp is sequence and opened_ports.udp | length > 0 %}
|
||||
udp dport { {{ opened_ports.udp | join(', ') }} } ct state new \
|
||||
add @connlimit { ip saddr ct count over 3 } drop
|
||||
udp dport { {{ opened_ports.udp | join(', ') }} } ct state new \
|
||||
add @connlimit6 { ip6 saddr ct count over 3 } drop
|
||||
{% endif -%}
|
||||
{% endif %}
|
||||
|
||||
# Allow opened ports but also dynamically add them to the blacklist
|
||||
{% if opened_ports.tcp is sequence and opened_ports.tcp | length > 0 -%}
|
||||
{% if opened_ports.tcp is sequence and opened_ports.tcp | length > 0 %}
|
||||
tcp dport { {{ opened_ports.tcp | join(', ') }} } ct state new \
|
||||
add @blackhole { ip saddr timeout 60s limit rate 10/second } accept
|
||||
tcp dport { {{ opened_ports.tcp | join(', ') }} } ct state new \
|
||||
add @blackhole6 { ip6 saddr timeout 60s limit rate 10/second } accept
|
||||
{% endif -%}
|
||||
{% if opened_ports.udp is sequence and opened_ports.udp | length > 0 -%}
|
||||
{% endif %}
|
||||
{% if opened_ports.udp is sequence and opened_ports.udp | length > 0 %}
|
||||
udp dport { {{ opened_ports.udp | join(', ') }} } ct state new \
|
||||
add @blackhole { ip saddr timeout 60s limit rate 10/second } accept
|
||||
udp dport { {{ opened_ports.udp | join(', ') }} } ct state new \
|
||||
add @blackhole6 { ip6 saddr timeout 60s limit rate 10/second } accept
|
||||
{% endif -%}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
chain forward {
|
||||
|
|
Reference in New Issue