[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Throttle connections from CIDR block?



On Wed, Aug 17, 2005 at 03:52:54AM -0500, Kevin wrote:
> How well can pf optimize a ~10 million line policy?
Assuming you want that many individual rules so each one can have a
dedicated state limit counter, there's nothing to optimize, the kernel
would have to hold that many individual rules.
vmstat -m | grep pfrulepl shows the size of one rule in kernel, 608
bytes on my machine. 608*10^7 bytes is about 5.7GB, "won't fit".
> Some applications include code to throttle the number of concurrent
> inbound connections from any CIDR block, this is a common request
> for SMTP listeners.
Sounds like a nice feature. If you volunteer to implement it, there will
probably be some technical questions regarding "from any CIDR block". For
instance, you might implement something like
  pass ... keep state (max-src-states 20 combine /24)
which partitions the entire address space into non-overlapping /24
blocks (so any possible address falls within exactly one of those
blocks), and enforces a maximum of 20 states for each such block.
A broader interpretation of "any /24 block" would involve overlapping
blocks, and some sliding window algorithms, which can easily become
expensive.
I.e. if you had
       -----|---------|---------|---------|-----
             10.1.1/24 10.1.2/24 10.1.3/24 
                   15   10
                 |---------|with 15 states from the "right" side of 10.1.1/24 (say, from source
10.1.1.253) and 10 states from the "left" side of 10.1.2/24 (say, from
source 10.1.2.2), would that be a violation, because all these 15+10=25
addresses are within one block of the size of a /24?
Daniel