how to use meters?

how to use meters?

[Kamil Jońca]

I try to understand "meters" and I have an impression I missed
something.
Use case:

--8<---------------cut here---------------start------------->8---
iptables -A wan-f-ssh -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --tcp-flags FIN,ACK FIN,ACK -m recent --set --name ssh --rsource -j LOG --log-prefix "FW+SSH:FIN:"            
iptables -A wan-f-ssh -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --tcp-flags FIN,ACK FIN,ACK -m recent --update --seconds 30 --hitcount 2 --name ssh --rsource -m recent --set --name ssh2  --rsource -j LOG --log-prefix "FW+SSH:FIN#2:"      
iptables -A wan-f-ssh -j ACCEPT                                                                                                                                                                                                                

[...]

iptables -A FORWARD -m recent --update --seconds 60 --name ssh2 --rsource -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 22 -j wan-f-ssh
--8<---------------cut here---------------end--------------->8---

ie. if SSH connection ends, it added to observation (ssh set) then if
second end happens during 30 sec it is added to block (ssh2 set)
I would achieve similar behavior with nftables and I guess that I should
use meters but ... I do not know how.
In some internet sites I found some examples but I do not understand
"why that".
For example:
https://wiki.archlinux.org/title/Nftables#Dynamic_blackhole
--8<---------------cut here---------------start------------->8---
 ct state new tcp dport 443 \
                meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second } \
                add @blackhole { ip saddr timeout 1m }
--8<---------------cut here---------------end--------------->8---

I understand " add @blackhole { ip saddr timeout 1m }" - adds address to
set for 1 min.
but what is
"meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second }"

(I can guess but I cannot see proper doc of this)
Any hint?
KJ

-- 
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html

Re: how to use meters?

[Pablo Neira Ayuso]

On Sun, Sep 18, 2022 at 12:49:34PM +0200, Kamil Jońca wrote:
[...]
> For example:
> https://wiki.archlinux.org/title/Nftables#Dynamic_blackhole
> --8<---------------cut here---------------start------------->8---
>  ct state new tcp dport 443 \
>                 meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second } \
>                 add @blackhole { ip saddr timeout 1m }
> --8<---------------cut here---------------end--------------->8---
> 
> I understand " add @blackhole { ip saddr timeout 1m }" - adds address to
> set for 1 min.
> but what is
> "meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second }"
> 
> (I can guess but I cannot see proper doc of this)
> Any hint?

I'd suggest you use a set declaration for this, instead of the meter syntax.

This example shows how to ratelimit new connections to 10 per second:

table inet global {
    set flood {
        type ipv4_addr
        flags dynamic
        timeout 1m
        limit rate over 10/second
        size 65536
    }

    chain input {
        type filter hook prerouting priority filter; policy drop;
        ct state new tcp dport 443 update @flood { ip saddr } drop
        counter accept
    }
}

This declares a dynamic 'flood' set that stores IPv4 addresses. The
limit rate is also done from the set declaration itself. If the client
goes over the threshold, the packet is dropped.


Now, going back to "drop all HTTPS connections for 1 minute from a
source IP that exceeds the limit of 10/second", let's update the
previous example incrementally with an explicit set declaration:

table inet global {
    set flood {
        type ipv4_addr
        flags dynamic
        timeout 1m
        limit rate over 10/second
        size 65536
    }

    set blocklist {
        type ipv4_addr
        flags dynamic
        timeout 1m
        size 65536
    }

    chain input {
        type filter hook prerouting priority filter; policy drop;
        ct state new tcp dport 443 update @flood { ip saddr } add @blocklist { ip saddr }
        ip saddr @blocklist counter drop
        counter accept
    }
}

the 'flood' set keeps track of the specified ratelimit for each IP
address, if the ratelimit threshold is hit, then the IP address is
added to the blocklist. After 1 minute, the IP address in the
blocklist is removed.

Re: how to use meters?

[Kamil Jońca]

Pablo Neira Ayuso <pablo@netfilter.org> writes:

> On Sun, Sep 18, 2022 at 12:49:34PM +0200, Kamil Joñca wrote:
> [...]
>> For example:
>> https://wiki.archlinux.org/title/Nftables#Dynamic_blackhole
>> --8<---------------cut here---------------start------------->8---
>>  ct state new tcp dport 443 \
>>                 meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second } \
>>                 add @blackhole { ip saddr timeout 1m }
>> --8<---------------cut here---------------end--------------->8---
>> 
>> I understand " add @blackhole { ip saddr timeout 1m }" - adds address to
>> set for 1 min.
>> but what is
>> "meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second }"
>> 
>> (I can guess but I cannot see proper doc of this)
>> Any hint?
>
> I'd suggest you use a set declaration for this, instead of the meter syntax.
>
> This example shows how to ratelimit new connections to 10 per second:
>

[... snip ...]
Thank you. After some digging and reading manual (especially "SET
STATEMET" ) i wrote similar thing (two tables flood +blaclist, etc)
So thanks for confirmation. :)

The only thing is
"    set flood {
        type ipv4_addr
        flags dynamic
        timeout 1m
        limit rate over 10/second
        size 65536
    }
"

I did not found "limit" statement in set definition in manual.
Am I overlooked something?

KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/