Commit 06591454 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

test: add basic rules

parent 3293b209
{
"filter": [
{ "conn-limit": 1 },
{ "conn-limit": 1, "action": "pass" },
{ "conn-limit": 1, "log": true },
{ "conn-limit": 1, "log": true, "action": "pass" },
{ "conn-limit": { "count": 1, "log": false } },
{ "conn-limit": { "count": 1, "log": false }, "action": "pass" },
{ "conn-limit": { "count": 1, "log": false }, "log": true },
{
"conn-limit": { "count": 1, "log": false },
"log": true,
"action": "pass"
},
{ "conn-limit": 30 },
{ "conn-limit": 30, "action": "pass" },
{ "conn-limit": 30, "log": true },
{ "conn-limit": { "count": 30, "log": false } },
{ "conn-limit": { "count": 30, "log": false }, "action": "pass" },
{ "conn-limit": { "count": 30, "log": false }, "log": true },
{ "flow-limit": 1 },
{ "flow-limit": 1, "action": "pass" },
{ "flow-limit": 1, "log": true },
{ "flow-limit": 1, "log": true, "action": "pass" },
{ "flow-limit": { "count": 1, "log": false } },
{ "flow-limit": { "count": 1, "log": false }, "action": "pass" },
{ "flow-limit": { "count": 1, "log": false }, "log": true },
{
"flow-limit": { "count": 1, "log": false },
"log": true,
"action": "pass"
},
{ "flow-limit": 30 },
{ "flow-limit": 30, "action": "pass" },
{ "flow-limit": 30, "log": true },
{ "flow-limit": { "count": 30, "log": false } },
{ "flow-limit": { "count": 30, "log": false }, "action": "pass" },
{ "flow-limit": { "count": 30, "log": false }, "log": true }
]
}
{
"filter": [
{},
{ "action": "accept" },
{ "action": "drop" },
{ "action": "pass" },
{ "action": "reject" },
{ "action": "tarpit" }
]
}
{
"filter": [
{},
{ "action": "drop" },
{ "action": "pass" },
{ "log": false },
{ "log": false, "action": "drop" },
{ "log": false, "action": "pass" },
{ "log": true },
{ "log": true, "action": "drop" },
{ "log": true, "action": "pass" }
]
}
Filter 1 {}
(filter)
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 2 {"action":"accept"}
(filter)
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 3 {"action":"drop"}
(filter)
inet/filter/FORWARD -j logdrop-0
inet6/filter/FORWARD -j logdrop-0
inet/filter/INPUT -j logdrop-0
inet6/filter/INPUT -j logdrop-0
inet/filter/OUTPUT -j logdrop-0
inet6/filter/OUTPUT -j logdrop-0
inet/filter/logdrop-0 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-0 -m limit --limit 1/second -j LOG
inet/filter/logdrop-0 -j DROP
inet6/filter/logdrop-0 -j DROP
Filter 4 {"action":"pass"}
(filter)
inet/filter/FORWARD
inet6/filter/FORWARD
inet/filter/INPUT
inet6/filter/INPUT
inet/filter/OUTPUT
inet6/filter/OUTPUT
Filter 5 {"action":"reject"}
(filter)
inet/filter/FORWARD -j logreject-0
inet6/filter/FORWARD -j logreject-0
inet/filter/INPUT -j logreject-0
inet6/filter/INPUT -j logreject-0
inet/filter/OUTPUT -j logreject-0
inet6/filter/OUTPUT -j logreject-0
inet/filter/logreject-0 -m limit --limit 1/second -j LOG
inet6/filter/logreject-0 -m limit --limit 1/second -j LOG
inet/filter/logreject-0 -j REJECT
inet6/filter/logreject-0 -j REJECT
Filter 6 {"action":"tarpit"}
(filter)
inet/filter/FORWARD -j logtarpit-0
inet6/filter/FORWARD -j logtarpit-0
inet/filter/INPUT -j logtarpit-0
inet6/filter/INPUT -j logtarpit-0
inet/filter/OUTPUT -j logtarpit-0
inet6/filter/OUTPUT -j logtarpit-0
inet/filter/logtarpit-0 -m limit --limit 1/second -j LOG
inet6/filter/logtarpit-0 -m limit --limit 1/second -j LOG
inet/filter/logtarpit-0 -j tarpit
inet6/filter/logtarpit-0 -j tarpit
inet/raw/PREROUTING -j CT --notrack
inet6/raw/PREROUTING -j CT --notrack
inet/raw/OUTPUT -j CT --notrack
inet6/raw/OUTPUT -j CT --notrack
Filter 7 {"conn-limit":1}
(filter-limit)
inet/filter/FORWARD -j limit-0
inet6/filter/FORWARD -j limit-0
inet/filter/INPUT -j limit-0
inet6/filter/INPUT -j limit-0
inet/filter/OUTPUT -j limit-0
inet6/filter/OUTPUT -j limit-0
inet/filter/limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-1
inet6/filter/limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-1
inet/filter/logdrop-1 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-1 -m limit --limit 1/second -j LOG
inet/filter/logdrop-1 -j DROP
inet6/filter/logdrop-1 -j DROP
inet/filter/limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 8 {"action":"pass","conn-limit":1}
(filter-limit)
inet/filter/FORWARD -j limit-1
inet6/filter/FORWARD -j limit-1
inet/filter/INPUT -j limit-1
inet6/filter/INPUT -j limit-1
inet/filter/OUTPUT -j limit-1
inet6/filter/OUTPUT -j limit-1
inet/filter/limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-2
inet6/filter/limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-2
inet/filter/logdrop-2 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-2 -m limit --limit 1/second -j LOG
inet/filter/logdrop-2 -j DROP
inet6/filter/logdrop-2 -j DROP
inet/filter/limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 9 {"conn-limit":1,"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-2
inet6/filter/FORWARD -j limit-2
inet/filter/INPUT -j limit-2
inet6/filter/INPUT -j limit-2
inet/filter/OUTPUT -j limit-2
inet6/filter/OUTPUT -j limit-2
inet/filter/limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-3
inet6/filter/limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-3
inet/filter/logdrop-3 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-3 -m limit --limit 1/second -j LOG
inet/filter/logdrop-3 -j DROP
inet6/filter/logdrop-3 -j DROP
inet/filter/limit-2 -m limit --limit 1/second -j LOG
inet6/filter/limit-2 -m limit --limit 1/second -j LOG
inet/filter/limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 10 {"action":"pass","conn-limit":1,"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-3
inet6/filter/FORWARD -j limit-3
inet/filter/INPUT -j limit-3
inet6/filter/INPUT -j limit-3
inet/filter/OUTPUT -j limit-3
inet6/filter/OUTPUT -j limit-3
inet/filter/limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-4
inet6/filter/limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-4
inet/filter/logdrop-4 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-4 -m limit --limit 1/second -j LOG
inet/filter/logdrop-4 -j DROP
inet6/filter/logdrop-4 -j DROP
inet/filter/limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 11 {"conn-limit":{"count":1,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-4
inet6/filter/FORWARD -j limit-4
inet/filter/INPUT -j limit-4
inet6/filter/INPUT -j limit-4
inet/filter/OUTPUT -j limit-4
inet6/filter/OUTPUT -j limit-4
inet/filter/limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 12 {"action":"pass","conn-limit":{"count":1,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-5
inet6/filter/FORWARD -j limit-5
inet/filter/INPUT -j limit-5
inet6/filter/INPUT -j limit-5
inet/filter/OUTPUT -j limit-5
inet6/filter/OUTPUT -j limit-5
inet/filter/limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 13 {"conn-limit":{"count":1,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-6
inet6/filter/FORWARD -j limit-6
inet/filter/INPUT -j limit-6
inet6/filter/INPUT -j limit-6
inet/filter/OUTPUT -j limit-6
inet6/filter/OUTPUT -j limit-6
inet/filter/limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-6 -m limit --limit 1/second -j LOG
inet6/filter/limit-6 -m limit --limit 1/second -j LOG
inet/filter/limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 14 {"action":"pass","conn-limit":{"count":1,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-7
inet6/filter/FORWARD -j limit-7
inet/filter/INPUT -j limit-7
inet6/filter/INPUT -j limit-7
inet/filter/OUTPUT -j limit-7
inet6/filter/OUTPUT -j limit-7
inet/filter/limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 15 {"conn-limit":30}
(filter-limit)
inet/filter/FORWARD -j limit-8
inet6/filter/FORWARD -j limit-8
inet/filter/INPUT -j limit-8
inet6/filter/INPUT -j limit-8
inet/filter/OUTPUT -j limit-8
inet6/filter/OUTPUT -j limit-8
inet/filter/limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT
inet6/filter/limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT
inet/filter/limit-8 -m limit --limit 1/second -j LOG
inet6/filter/limit-8 -m limit --limit 1/second -j LOG
inet/filter/limit-8 -j DROP
inet6/filter/limit-8 -j DROP
Filter 16 {"action":"pass","conn-limit":30}
(filter-limit)
inet/filter/FORWARD -j limit-9
inet6/filter/FORWARD -j limit-9
inet/filter/INPUT -j limit-9
inet6/filter/INPUT -j limit-9
inet/filter/OUTPUT -j limit-9
inet6/filter/OUTPUT -j limit-9
inet/filter/limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN
inet6/filter/limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN
inet/filter/limit-9 -m limit --limit 1/second -j LOG
inet6/filter/limit-9 -m limit --limit 1/second -j LOG
inet/filter/limit-9 -j DROP
inet6/filter/limit-9 -j DROP
Filter 17 {"conn-limit":30,"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-10
inet6/filter/FORWARD -j limit-10
inet/filter/INPUT -j limit-10
inet6/filter/INPUT -j limit-10
inet/filter/OUTPUT -j limit-10
inet6/filter/OUTPUT -j limit-10
inet/filter/limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0
inet6/filter/limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0
inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
inet/filter/logaccept-0 -j ACCEPT
inet6/filter/logaccept-0 -j ACCEPT
inet/filter/limit-10 -m limit --limit 1/second -j LOG
inet6/filter/limit-10 -m limit --limit 1/second -j LOG
inet/filter/limit-10 -j DROP
inet6/filter/limit-10 -j DROP
Filter 18 {"conn-limit":{"count":30,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-11
inet6/filter/FORWARD -j limit-11
inet/filter/INPUT -j limit-11
inet6/filter/INPUT -j limit-11
inet/filter/OUTPUT -j limit-11
inet6/filter/OUTPUT -j limit-11
inet/filter/limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT
inet6/filter/limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT
inet/filter/limit-11 -j DROP
inet6/filter/limit-11 -j DROP
Filter 19 {"action":"pass","conn-limit":{"count":30,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-12
inet6/filter/FORWARD -j limit-12
inet/filter/INPUT -j limit-12
inet6/filter/INPUT -j limit-12
inet/filter/OUTPUT -j limit-12
inet6/filter/OUTPUT -j limit-12
inet/filter/limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN
inet6/filter/limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN
inet/filter/limit-12 -j DROP
inet6/filter/limit-12 -j DROP
Filter 20 {"conn-limit":{"count":30,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-13
inet6/filter/FORWARD -j limit-13
inet/filter/INPUT -j limit-13
inet6/filter/INPUT -j limit-13
inet/filter/OUTPUT -j limit-13
inet6/filter/OUTPUT -j limit-13
inet/filter/limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1
inet6/filter/limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1
inet/filter/logaccept-1 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-1 -m limit --limit 1/second -j LOG
inet/filter/logaccept-1 -j ACCEPT
inet6/filter/logaccept-1 -j ACCEPT
inet/filter/limit-13 -j DROP
inet6/filter/limit-13 -j DROP
Filter 21 {"flow-limit":1}
(filter-limit)
inet/filter/FORWARD -j limit-14
inet6/filter/FORWARD -j limit-14
inet/filter/INPUT -j limit-14
inet6/filter/INPUT -j limit-14
inet/filter/OUTPUT -j limit-14
inet6/filter/OUTPUT -j limit-14
inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5
inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5
inet/filter/logdrop-5 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-5 -m limit --limit 1/second -j LOG
inet/filter/logdrop-5 -j DROP
inet6/filter/logdrop-5 -j DROP
inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 22 {"action":"pass","flow-limit":1}
(filter-limit)
inet/filter/FORWARD -j limit-15
inet6/filter/FORWARD -j limit-15
inet/filter/INPUT -j limit-15
inet6/filter/INPUT -j limit-15
inet/filter/OUTPUT -j limit-15
inet6/filter/OUTPUT -j limit-15
inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6
inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6
inet/filter/logdrop-6 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-6 -m limit --limit 1/second -j LOG
inet/filter/logdrop-6 -j DROP
inet6/filter/logdrop-6 -j DROP
inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 23 {"flow-limit":1,"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-16
inet6/filter/FORWARD -j limit-16
inet/filter/INPUT -j limit-16
inet6/filter/INPUT -j limit-16
inet/filter/OUTPUT -j limit-16
inet6/filter/OUTPUT -j limit-16
inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7
inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7
inet/filter/logdrop-7 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-7 -m limit --limit 1/second -j LOG
inet/filter/logdrop-7 -j DROP
inet6/filter/logdrop-7 -j DROP
inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j logaccept-final-0
inet6/filter/FORWARD -j logaccept-final-0
inet/filter/INPUT -j logaccept-final-0
inet6/filter/INPUT -j logaccept-final-0
inet/filter/OUTPUT -j logaccept-final-0
inet6/filter/OUTPUT -j logaccept-final-0
inet/filter/logaccept-final-0 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-final-0 -m limit --limit 1/second -j LOG
inet/filter/logaccept-final-0 -j ACCEPT
inet6/filter/logaccept-final-0 -j ACCEPT
Filter 24 {"action":"pass","flow-limit":1,"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-17
inet6/filter/FORWARD -j limit-17
inet/filter/INPUT -j limit-17
inet6/filter/INPUT -j limit-17
inet/filter/OUTPUT -j limit-17
inet6/filter/OUTPUT -j limit-17
inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8
inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8
inet/filter/logdrop-8 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-8 -m limit --limit 1/second -j LOG
inet/filter/logdrop-8 -j DROP
inet6/filter/logdrop-8 -j DROP
inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 25 {"flow-limit":{"count":1,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-18
inet6/filter/FORWARD -j limit-18
inet/filter/INPUT -j limit-18
inet6/filter/INPUT -j limit-18
inet/filter/OUTPUT -j limit-18
inet6/filter/OUTPUT -j limit-18
inet/filter/limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 26 {"action":"pass","flow-limit":{"count":1,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-19
inet6/filter/FORWARD -j limit-19
inet/filter/INPUT -j limit-19
inet6/filter/INPUT -j limit-19
inet/filter/OUTPUT -j limit-19
inet6/filter/OUTPUT -j limit-19
inet/filter/limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 27 {"flow-limit":{"count":1,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-20
inet6/filter/FORWARD -j limit-20
inet/filter/INPUT -j limit-20
inet6/filter/INPUT -j limit-20
inet/filter/OUTPUT -j limit-20
inet6/filter/OUTPUT -j limit-20
inet/filter/limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j logaccept-final-1
inet6/filter/FORWARD -j logaccept-final-1
inet/filter/INPUT -j logaccept-final-1
inet6/filter/INPUT -j logaccept-final-1
inet/filter/OUTPUT -j logaccept-final-1
inet6/filter/OUTPUT -j logaccept-final-1
inet/filter/logaccept-final-1 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-final-1 -m limit --limit 1/second -j LOG
inet/filter/logaccept-final-1 -j ACCEPT
inet6/filter/logaccept-final-1 -j ACCEPT
Filter 28 {"action":"pass","flow-limit":{"count":1,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-21
inet6/filter/FORWARD -j limit-21
inet/filter/INPUT -j limit-21
inet6/filter/INPUT -j limit-21
inet/filter/OUTPUT -j limit-21
inet6/filter/OUTPUT -j limit-21
inet/filter/limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 29 {"flow-limit":30}
(filter-limit)
inet/filter/FORWARD -j limit-22
inet6/filter/FORWARD -j limit-22
inet/filter/INPUT -j limit-22
inet6/filter/INPUT -j limit-22
inet/filter/OUTPUT -j limit-22
inet6/filter/OUTPUT -j limit-22
inet/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN
inet6/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN
inet/filter/limit-22 -m limit --limit 1/second -j LOG
inet6/filter/limit-22 -m limit --limit 1/second -j LOG
inet/filter/limit-22 -j DROP
inet6/filter/limit-22 -j DROP
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 30 {"action":"pass","flow-limit":30}
(filter-limit)
inet/filter/FORWARD -j limit-23
inet6/filter/FORWARD -j limit-23
inet/filter/INPUT -j limit-23
inet6/filter/INPUT -j limit-23
inet/filter/OUTPUT -j limit-23
inet6/filter/OUTPUT -j limit-23
inet/filter/limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN
inet6/filter/limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN
inet/filter/limit-23 -m limit --limit 1/second -j LOG
inet6/filter/limit-23 -m limit --limit 1/second -j LOG
inet/filter/limit-23 -j DROP
inet6/filter/limit-23 -j DROP
Filter 31 {"flow-limit":30,"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-24
inet6/filter/FORWARD -j limit-24
inet/filter/INPUT -j limit-24
inet6/filter/INPUT -j limit-24
inet/filter/OUTPUT -j limit-24
inet6/filter/OUTPUT -j limit-24
inet/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN
inet6/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN
inet/filter/limit-24 -m limit --limit 1/second -j LOG
inet6/filter/limit-24 -m limit --limit 1/second -j LOG
inet/filter/limit-24 -j DROP
inet6/filter/limit-24 -j DROP
inet/filter/FORWARD -j logaccept-final-2
inet6/filter/FORWARD -j logaccept-final-2
inet/filter/INPUT -j logaccept-final-2
inet6/filter/INPUT -j logaccept-final-2
inet/filter/OUTPUT -j logaccept-final-2
inet6/filter/OUTPUT -j logaccept-final-2
inet/filter/logaccept-final-2 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-final-2 -m limit --limit 1/second -j LOG
inet/filter/logaccept-final-2 -j ACCEPT
inet6/filter/logaccept-final-2 -j ACCEPT
Filter 32 {"flow-limit":{"count":30,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-25
inet6/filter/FORWARD -j limit-25
inet/filter/INPUT -j limit-25
inet6/filter/INPUT -j limit-25
inet/filter/OUTPUT -j limit-25
inet6/filter/OUTPUT -j limit-25
inet/filter/limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-25 -j RETURN
inet6/filter/limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-25 -j RETURN
inet/filter/limit-25 -j DROP
inet6/filter/limit-25 -j DROP
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 33 {"action":"pass","flow-limit":{"count":30,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-26
inet6/filter/FORWARD -j limit-26
inet/filter/INPUT -j limit-26
inet6/filter/INPUT -j limit-26
inet/filter/OUTPUT -j limit-26
inet6/filter/OUTPUT -j limit-26
inet/filter/limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-26 -j RETURN
inet6/filter/limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-26 -j RETURN
inet/filter/limit-26 -j DROP
inet6/filter/limit-26 -j DROP
Filter 34 {"flow-limit":{"count":30,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-27
inet6/filter/FORWARD -j limit-27
inet/filter/INPUT -j limit-27
inet6/filter/INPUT -j limit-27
inet/filter/OUTPUT -j limit-27
inet6/filter/OUTPUT -j limit-27
inet/filter/limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-27 -j RETURN
inet6/filter/limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-27 -j RETURN
inet/filter/limit-27 -j DROP
inet6/filter/limit-27 -j DROP
inet/filter/FORWARD -j logaccept-final-3
inet6/filter/FORWARD -j logaccept-final-3
inet/filter/INPUT -j logaccept-final-3
inet6/filter/INPUT -j logaccept-final-3
inet/filter/OUTPUT -j logaccept-final-3
inet6/filter/OUTPUT -j logaccept-final-3
inet/filter/logaccept-final-3 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-final-3 -m limit --limit 1/second -j LOG
inet/filter/logaccept-final-3 -j ACCEPT
inet6/filter/logaccept-final-3 -j ACCEPT
Filter 35 {}
(log)
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 36 {"action":"drop"}
(log)
inet/filter/FORWARD -j logdrop-9
inet6/filter/FORWARD -j logdrop-9
inet/filter/INPUT -j logdrop-9
inet6/filter/INPUT -j logdrop-9
inet/filter/OUTPUT -j logdrop-9
inet6/filter/OUTPUT -j logdrop-9
inet/filter/logdrop-9 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-9 -m limit --limit 1/second -j LOG
inet/filter/logdrop-9 -j DROP
inet6/filter/logdrop-9 -j DROP
Filter 37 {"action":"pass"}
(log)
inet/filter/FORWARD
inet6/filter/FORWARD
inet/filter/INPUT
inet6/filter/INPUT
inet/filter/OUTPUT
inet6/filter/OUTPUT
Filter 38 {"log":false}
(log)
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 39 {"action":"drop","log":false}
(log)
inet/filter/FORWARD -j DROP