On Mon, Jun 03, 2002 at 04:24:37PM +0200, Jedi/Sector One wrote:

> Rate limitation (X connections in Y seconds) like Linux does is probably
> bloat. But per-state is not enough, it should depend on source IPs to
> address that issue.

I don't think that per-address limits will make it into pf. While
per-rule limits could be added without significant run-time overhead
(O(1) for each state creation), per-address would require an additional
data structure being updated (with non-constant cost). That's too high a
price to pay in general for a feature that isn't used by the majority.

But what's stopping us from writing a userland proxy that listens on a
port and forwards connections to a server and does the address
accounting, dropping connections from the same source when the count
exceeds a limit? You could even transparently redirect incoming
connections to this proxy (like ftp-proxy) from pf, and it could
optionally run on the same host. I think whatever can be done cleanly in
userland shouldn't go into the kernel. With separate userland tools for
specific purposes, people can choose what to run, and the cost of packet
filtering itself doesn't increase with each option.

Daniel

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]