On Wed, Nov 06, 2002 at 08:11:04AM -0500, Jason Dixon wrote: > Ok, I'll refine my question (after reviewing the tarball). Any chance > that the related functionality provided by netfilter (--limit) will be > built into PF in future releases. Obviously, this type of feature still > has its limitations when your T1/E1/T3/E3 is being saturated by a > thousand different source addressed garbage streams, but it would be > nice nonetheless.
If I understand it correctly, netfilter's --limit is used to limit the number of concurrent connections per source (or destination) address. This feature has been suggested and discussed before (on misc@, I think), and we weren't sure whether it belongs into the kernel itself. Keeping per-source/-destination statistics can be memory and cpu expensive, and there would be no real downside to doing it in a generic userland proxy. Except, maybe, for the fact that you lose the real source addresses for logging, which could be solved with embryonic states, but I didn't mention that now ;) A generic userland proxy could do all sorts of nice things, like throttle connections and throughput, based on source/destination addresses and blocks of addresses, etc. Daniel