The change is to support the 'fail2ban' feature. Instead of
blocking IPs by server itself, server just add malicious IPs
to specified sets of nftables. So admin can configure rules
to deal with those IPs.
Notes: cap_net_admin capability is required.
Example configuration:
# nft add table ip fail2ban
# nft add chain ip fail2ban input { type filter hook input priority 0 \; }
# nft add set ip fail2ban badips { type ipv4_addr \; flags dynamic, timeout \; timeout 1h \; }
# nft add rule ip fail2ban input ip saddr @badips drop
# ss-server -c config.json --nftables-sets badips
- This is very useful in advanced scenarios such as ss-redir or chaining of servers using TPROXY
to avoid bufferbloat-like performance degradation due to default large buffers of OS.
Server made a connection to remote, remote replied with that connection.
nf_conntrack module would not check reply-dst and reply-src by default.
more information please refer to https://www.spinics.net/lists/netfilter/msg57842.html
As a result, src and dst should be swapped to make nf_conntrack find the connection.
After five years, memory footprint is not a problem for most of
low-end boxes and high-end routers now.
It should also improve the speed on loopback and high-speed LAN
networks.
Max Lv
Aven
Not Sure
Max Lv
babarosaM33
lixingcong
Mygod
Chinsyo
poplite
Mygod
Gyt
sxyoxygen
Yegor Ievlev
FlyingheartCN
Linus Yang