Overloading to different tables
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 20 Jul 2023 19:38:23 UTC
Hey guys... Trying to overload to 2 different tables based on conditions, however, pf always matches the bottom rule, nomatter what I try. pass in on ix0 proto tcp from any to XXX.XXX.XX.XX port 2222 tag CONNRATE label "connrate" flags S/SA keep state (source-track rule, max-src-conn-rate 4/1 overload <limit_connrate> flush global, src.track 1) pass in on ix0 proto tcp from any to XXX.XXX.XX.XX port 2222 tag MAXCONN label "maxconn" flags S/SA keep state (source-track rule, max-src-conn 10, overload <limit_maxconn> flush global, src.track 1) The idea is to be able to separate IPs that do more than allowed connections in table 1, and IPs that do more than allowed conn-rate in table 2. Problem is - only the 2nd rule is matching.. LABEL COUNTERS: connrate 40113 0 0 0 0 0 0 0 <- first rule maxconn 5042 24972 9794870 12239 1789101 12733 8005769 1123 I've tried doing a "match" rule instead of pass, in that case the difference is - the last 3 values are empty (more notably the last one since it creates the state) LABEL COUNTERS: connrate 6205 1688 98156 1688 98156 0 0 0 maxconn 6205 1688 98156 1688 98156 0 0 0 Tried doing match + pass with overload of tagged "X", that also resulted in the last rule being the one that creates state (and does overload to table) Any ideas on how to do what I'm trying? The idea is: 1. to allow a max of 100 connections and if the IP does more than that - to be placed in the "limit_maxconn" table. 2. to set a connection-rate limit and any IP that overreaches it - to be placed in the "limit_connrate" table. Is there a way to achieve this? Regards, D