(BOUN-1001) Limit the number of open tcp connections in BN per ip

dfinity · Jan 12, 2024 · f0373c6 · f0373c6
1 parent 6ed74ab
commit f0373c6
Showing 1 changed file with 72 additions and 1 deletion.
diff --git a/ic-os/boundary-guestos/rootfs/etc/nftables.conf b/ic-os/boundary-guestos/rootfs/etc/nftables.conf
@@ -4,7 +4,6 @@ flush ruleset
 
 define icmp_v4_types_accept = {
   destination-unreachable,
-  source-quench,
   time-exceeded,
   parameter-problem,
   echo-request,
@@ -65,12 +64,48 @@ define ipv6_socks_saddr_ips = {
 }
 
 table ip filter {
+
+  set connection_limit_200 {
+    type ipv4_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_100 {
+    type ipv4_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_50 {
+    type ipv4_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_30 {
+    type ipv4_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_10 {
+    type ipv4_addr
+    size 256000
+    flags dynamic
+  }
+
   chain input {
     type filter hook input priority filter; policy drop;
     iif "lo" accept
     icmp type $icmp_v4_types_accept accept
     ct state invalid drop
     ct state { established, related } accept
+    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_200 { ip saddr ct count over 200 } counter continue
+    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_100 { ip saddr ct count over 100 } counter continue
+    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_50 { ip saddr ct count over 50 } counter continue
+    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_30 { ip saddr ct count over 30 } counter continue
+    ip saddr $ipv4_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_10 { ip saddr ct count over 10 } counter continue
     ip saddr $ipv4_http_ips ct state new tcp dport { http, https, $canary_proxy_port } accept
   }
 
@@ -91,12 +126,48 @@ table ip filter {
 }
 
 table ip6 filter {
+
+  set connection_limit_200 {
+    type ipv6_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_100 {
+    type ipv6_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_50 {
+    type ipv6_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_30 {
+    type ipv6_addr
+    size 256000
+    flags dynamic
+  }
+
+  set connection_limit_10 {
+    type ipv6_addr
+    size 256000
+    flags dynamic
+  }
+
   chain input {
     type filter hook input priority filter; policy drop;
     iif "lo" accept
     icmpv6 type $icmp_v6_in_types_accept accept
     ct state invalid drop
     ct state { established, related } accept
+    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_200 { ip6 saddr ct count over 200 } counter continue
+    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_100 { ip6 saddr ct count over 100 } counter continue
+    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_50 { ip6 saddr ct count over 50 } counter continue
+    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_30 { ip6 saddr ct count over 30 } counter continue
+    ip6 saddr $ipv6_http_ips tcp dport { http, https, $canary_proxy_port } ct state new add @connection_limit_10 { ip6 saddr ct count over 10 } counter continue
     ip6 saddr $ipv6_http_ips ct state new tcp dport { http, https, $canary_proxy_port } accept
     ip6 saddr $ipv6_debug_ips ct state new tcp dport { ssh, 19532 } accept
     ip6 saddr $ipv6_socks_saddr_ips ct state new tcp dport socks accept