allow to limit default-drop logs (anti ddos)

Author: ansibleguy

defaults/main/1_main.yml

@@ -38,6 +38,9 @@ defaults_nftables:
   purge_orphaned: true  # purge all unmanaged files from /etc/nftables.d/
 
   log_drop_prefix: 'NFTables DROP'
+  log_drop_limit:  # anti DDOS
+    enable: false
+    count: 100
   log_group: ''  # set to '0' for container workaround => send logs to local ulogd2 daemon
   ext: 'nft'  # extension used for nftables config-files
 

templates/etc/nftables.d/table.nft.j2

@@ -28,7 +28,7 @@ table {{ nft_table.type }} {{ nft_table_name }} {
     counter comment "COUNT {{ nft_table_name }}-{{ chain_name }}{% if chain_main %}-{{ chain.policy }}{% endif %}"
 {%   endif %}
 {%   if chain_main and chain.log.drop and chain.policy == 'drop' %}
-    log prefix "{{ NFT_CONFIG.log_drop_prefix }} {{ nft_table_name }}-{% if chain.log.prefix %}{{ chain.log.prefix }}{% else %}{{ chain_name }}{% endif %} "
+    log prefix "{{ NFT_CONFIG.log_drop_prefix }} {{ nft_table_name }}-{% if chain.log.prefix %}{{ chain.log.prefix }}{% else %}{{ chain_name }}{% endif %} "{% if NFT_CONFIG.log_drop_limit.enable | bool %} limit rate {{ NFT_CONFIG.log_drop_limit.count }}/second{% endif +%}
 {%   endif %}
   }