[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

source tracking radix entries

I'm running 3.5 -stable with dynamic entries in radix tables, and I want to do source tracking per IP. Is this possible? I have a 20-bit subnet behind pf and I've broken authenticated IPs into 8 23-bit radix tables.

(I am not running NAT, but I will use anonymous IP's for my example):

<ruleset snippet>

00:# tables named for 3rd octet
01: table <auth_0> persist
08: table <auth_14> persist
09: 10: pass in quick on $int_if proto { icmp, tcp, udp } from $auth to any \
flags S/SA keep state

</end of snippet>

My script adds authenticated users to the appropriate table by computing $which = (( octet_3 & 254 )), then executing pfctl -t $which -T add $ip

How do I modify line 10 from the snippet above to cause source-tracking to curb individual IPs? When I played with the example in pf.conf(5), adding

(max 1000, source-track rule, max-src-states 1000)

to line 10 seemed to modify the rule for the entire radix table, instead of getting at the individual IPs within the table. My goal is to limit each IP to some reasonable amount of state. Any suggestions to what a reasonable number of states per IP should be?

   thanks for your time,