Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option to limit the rate of logged messages #19

Closed
LionelCons opened this issue Nov 23, 2020 · 3 comments · Fixed by #22
Closed

Add an option to limit the rate of logged messages #19

LionelCons opened this issue Nov 23, 2020 · 3 comments · Fixed by #22

Comments

@LionelCons
Copy link

The default logging of incoming packets comes from:

    'INPUT-log_discarded':
      order   => '97',
      content => "log prefix \"${sprintf($_log_prefix_discard, { 'chain' => 'INPUT' })}\" flags all counter";

This contains no rate limiting so this opens the door to DoS attacks.

All the rules that log something should use rate limiting, at least via an option.
@keachi
Copy link
Collaborator

keachi commented Nov 23, 2020

That's a good point. Rate limit the logging via an option would be my preferred way. The default could then be enabled, but it should be possible to disable it.

@nbarrientos
Copy link
Collaborator

Yeah, it makes sense. What about this as default?

limit rate 3/minute burst 5

of a parameter in nftables, say nftables::log_rate?

Happy to provide a patch once the pending merge requests have been cleared out.

@LionelCons
Copy link
Author

LGTM

@nbarrientos nbarrientos mentioned this issue Nov 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set a customisable rate limit to the logging rules nbarrientos/puppet-nftables
3 participants
@nbarrientos @LionelCons @keachi