| 4 Aug 2025 |
 hexa | 700+ source addresses hammering out over 2.7million requests | 18:48:01 |
| hexa | over 600k 429 responses | 18:48:06 |
| hexa | source seems to be tor, but there is an email address in the user-agent | 18:48:16 |
 @emma:rory.gay | personally i'd just throw up a few temporary iptables rules | 18:52:28 |
| hexa | yeah, I'm temporarily blocking tor exits | 18:53:12 |
| hexa | the requests stopped a minute after I sent the mail | 18:57:02 |
| hexa | also boo, we're still using iptables | 18:57:17 |
| 5 Aug 2025 |
| @emma:rory.gay | or youre using the nftables wrapper lol | 02:59:30 |
| hexa | the nixos default 🤷 | 03:00:29 |
| hexa | quite a bit of technical debt in there | 03:00:51 |
| @emma:rory.gay | yeah, thats the nftables wraper | 03:02:10 |
| @emma:rory.gay | iptables v1.8.11 (nf_tables) | 03:02:18 |
| @emma:rory.gay | glad that still exists because i have no clue how to manage nftables | 03:02:46 |
| hexa | systemd.services.nft-update-tor-exits = {
wantedBy = [ "nftables.service" ];
after = [ "nftables.service" ];
startAt = "hourly";
script = ''
curl -sSL "https://check.torproject.org/cgi-bin/TorBulkExitList.py?exit" | sed '/^#/d' | while read IP; do
nft add element inet filter torexits { $IP }
done
'';
path = with pkgs; [
curl
nftables
];
};
| 03:10:29 |
| hexa | set torexits {
type ipv4_addr;
flags dynamic, timeout;
timeout 6h;
}
| 03:11:00 |
| hexa | basically you can create a datatype, e.g. a set | 03:11:06 |
| hexa | and add to it, and have entries timeout automatically | 03:11:14 |
| hexa | and then match on that set | 03:11:31 |
| hexa | ip saddr @torexits counter drop
| 03:11:38 |
|  sinan changed their profile picture. | 03:58:54 |
| sinan | 03:58:56 |
 Arian | I love nftables so much | 07:00:42 |
| Arian | Systemd also creates a set for each cgroup automatically which is nice | 07:01:01 |
 Janne | In reply to @arianvp:matrix.org
Systemd also creates a set for each cgroup automatically which is nice With what in it? 😳 | 07:54:47 |
|  isabel changed their profile picture. | 09:49:48 |
| Arian | The cgroup id | 19:38:42 |
| Arian | But means you can refer to cgroups by name in nft rules | 19:39:16 |
| Arian | (as opposed to having to use the unstable cgroup id) | 19:39:27 |
| 6 Aug 2025 |
| Janne | In reply to @arianvp:matrix.org
The cgroup id Do I need to enable something for this to work? Or do I have to use the latest version? Because I don't see anything like this in my ruleset | 09:05:56 |
| Arian | https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#NFTSet=family:table:set | 18:19:19 |
