From 3a5ae2c307ab3dbe0f2496b131d6191b7183ea7c Mon Sep 17 00:00:00 2001
From: AnsibleGuy <guy@ansibleguy.net>
Date: Tue, 3 Sep 2024 16:01:42 +0200
Subject: [PATCH] allow to limit default-drop logs (anti ddos)

---
 defaults/main/1_main.yml              | 3 +++
 templates/etc/nftables.d/table.nft.j2 | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
index 8f50a67..573c1a8 100644
--- a/defaults/main/1_main.yml
+++ b/defaults/main/1_main.yml
@@ -38,6 +38,9 @@ defaults_nftables:
   purge_orphaned: true  # purge all unmanaged files from /etc/nftables.d/
 
   log_drop_prefix: 'NFTables DROP'
+  log_drop_limit:  # anti DDOS
+    enable: false
+    count: 100
   log_group: ''  # set to '0' for container workaround => send logs to local ulogd2 daemon
   ext: 'nft'  # extension used for nftables config-files
 
diff --git a/templates/etc/nftables.d/table.nft.j2 b/templates/etc/nftables.d/table.nft.j2
index f916078..d9c79f4 100644
--- a/templates/etc/nftables.d/table.nft.j2
+++ b/templates/etc/nftables.d/table.nft.j2
@@ -28,7 +28,7 @@ table {{ nft_table.type }} {{ nft_table_name }} {
     counter comment "COUNT {{ nft_table_name }}-{{ chain_name }}{% if chain_main %}-{{ chain.policy }}{% endif %}"
 {%   endif %}
 {%   if chain_main and chain.log.drop and chain.policy == 'drop' %}
-    log prefix "{{ NFT_CONFIG.log_drop_prefix }} {{ nft_table_name }}-{% if chain.log.prefix %}{{ chain.log.prefix }}{% else %}{{ chain_name }}{% endif %} "
+    log prefix "{{ NFT_CONFIG.log_drop_prefix }} {{ nft_table_name }}-{% if chain.log.prefix %}{{ chain.log.prefix }}{% else %}{{ chain_name }}{% endif %} "{% if NFT_CONFIG.log_drop_limit.enable | bool %} limit rate {{ NFT_CONFIG.log_drop_limit.count }}/second{% endif +%}
 {%   endif %}
   }