[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

source-track and 3.4



I have been running OpenBSD 3.4-stable for a few months now.
I have a stable web server, so I don't want to do anything drastic at this
point.
But I need source-track capability in pf. I need to be able to limit the
number of connections per IP address. Right now I sometimes do things like:
pass in on $ext_if proto tcp from { 1.0.0.0/16 } to any port 80 flags S/SA keep state(max 1) queue(q_lo,q_hi)
pass in on $ext_if proto tcp from { 1.1.0.0/16 } to any port 80 flags S/SA keep state(max 1) queue(q_lo,q_hi)
pass in on $ext_if proto tcp from { 1.2.0.0/16 } to any port 80 flags S/SA keep state(max 1) queue(q_lo,q_hi)
.
pass in on $ext_if proto tcp from { 255.253.0.0/16 } to any port 80 flags S/SA keep state(max 1) queue(q_lo,q_hi)
pass in on $ext_if proto tcp from { 255.254.0.0/16 } to any port 80 flags S/SA keep state(max 1) queue(q_lo,q_hi)
pass in on $ext_if proto tcp from { 255.255.0.0/16 } to any port 80 flags S/SA keep state(max 1) queue(q_lo,q_hi)
I've thought about other workarounds, like dynamic tables that the webserver
automatically adds to when a connection arrives. But source-track seems so
much simpler.
Questions:
Is there a patch available to add source-track capability to 3.4-stable?
Is source-track in 3.5-stable?
Thanks,
Lee