fix(BOUN-1001): rollback nftables counters

dfinity · Jan 16, 2024 · 96b16d0 · 96b16d0
1 parent bdc3d5e
commit 96b16d0
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 72 deletions.
diff --git a/ic-os/boundary-guestos/rootfs/etc/nftables.conf b/ic-os/boundary-guestos/rootfs/etc/nftables.conf
@@ -64,36 +64,6 @@ define ipv6_socks_saddr_ips = {
 }
 
 table ip filter {
-  set connection_limit_200 {
-    type ipv4_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_100 {
-    type ipv4_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_50 {
-    type ipv4_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_30 {
-    type ipv4_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_10 {
-    type ipv4_addr
-    size 256000
-    flags dynamic
-  }
-
   set crowdsec {
     type ipv4_addr
     size 262144
@@ -107,11 +77,6 @@ table ip filter {
     icmp type $icmp_v4_types_accept accept
     ct state invalid drop
     ct state { established, related } accept
-    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_200 { ip saddr ct count over 200 } counter continue
-    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_100 { ip saddr ct count over 100 } counter continue
-    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_50 { ip saddr ct count over 50 } counter continue
-    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_30 { ip saddr ct count over 30 } counter continue
-    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_10 { ip saddr ct count over 10 } counter continue
     ip saddr $ipv4_http_ips ct state new tcp dport { http, https, $canary_proxy_port } accept
   }
 
@@ -132,36 +97,6 @@ table ip filter {
 }
 
 table ip6 filter {
-  set connection_limit_200 {
-    type ipv6_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_100 {
-    type ipv6_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_50 {
-    type ipv6_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_30 {
-    type ipv6_addr
-    size 256000
-    flags dynamic
-  }
-
-  set connection_limit_10 {
-    type ipv6_addr
-    size 256000
-    flags dynamic
-  }
-
   set crowdsec6 {
     type ipv6_addr
     size 262144
@@ -175,11 +110,6 @@ table ip6 filter {
     icmpv6 type $icmp_v6_in_types_accept accept
     ct state invalid drop
     ct state { established, related } accept
-    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_200 { ip6 saddr ct count over 200 } counter continue
-    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_100 { ip6 saddr ct count over 100 } counter continue
-    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_50 { ip6 saddr ct count over 50 } counter continue
-    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_30 { ip6 saddr ct count over 30 } counter continue
-    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_10 { ip6 saddr ct count over 10 } counter continue
     ip6 saddr $ipv6_http_ips ct state new tcp dport { http, https, $canary_proxy_port } accept
     ip6 saddr $ipv6_debug_ips ct state new tcp dport { ssh, 19532 } accept
     ip6 saddr $ipv6_socks_saddr_ips ct state new tcp dport socks accept

diff --git a/ic-os/boundary-guestos/rootfs/etc/systemd/system/crowdsec-firewall-bouncer.service b/ic-os/boundary-guestos/rootfs/etc/systemd/system/crowdsec-firewall-bouncer.service
@@ -2,13 +2,12 @@
 Description=Crowdsec nftables bouncer
 After=network-online.target
 Wants=network-online.target
-After=setup-crowdsec.service
+After=setup-crowdsec.service nftables.service
 BindsTo=setup-crowdsec.service
 
 [Service]
 Type=notify
 ExecStart=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
-ExecStartPre=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -t
 ExecStartPost=/bin/sleep 0.1
 Restart=always
 RestartSec=10