2002-03-10 15:41:04+0100, Jerome de Vivie <[EMAIL PROTECTED]> -> > Gozem a écrit : > > > > I have been writing on a new match "superlimit" with uses the existing limit > > match as base. To be short this new match limits based on pair of > > source/mask and dest/mask. > > Why not combining "-s source/mask" and "--limit" ? >
Well it stores one credit-integer for each source/net <-> dest/net pair. Meaning if you get attacked by one net it will only limit packets from that source net. You don't need to have one rule for each limit. This feature has been requested by many for long time now. More on that when I post the patch. > > Anyhow, i found a couple of strange things in the > > existing limit: > > > > 1. The lock is ONE global lock. Used for all instances of limit. Why is it > > so? Just a "bug"? It should be in the ipt_ratelimti stuct and have one lock > > for each instance of limit. > > You're right. > Great, finally right on some thing :-P > > > > 2. The burst argument is as far as i can see and understand the algorithm a > > multiplyer for the normal --limit argument. Look at this example: > > Yes, it's a multilpier. The doc need update. > > Okie. I really like the idee of an absolut value better. Anyone else has some arguments for this or against it. We should of couse not change the semantics of --limit-burst now but perhaps add one more option --limit-kickin or --limit-absolutburst (give me a good name) which is the burst in absolut value. Meaning credits will be initiated with: credits = absolut_burst; And the absolut_burst is one of the following: absolut_burst = --limit-absolutburst absolut_burst = --limit * --limit-burst > > 4. This is more of features that i'm about to add: > > - An inverter so u can match inverted: > > iptables -A INPUT -m limit --limit ! 40/s -j DRP > > Yes, the inverse flags doesn't work (and i used it in my exemple as if > it works !). I 've send the enclosed patch a moment ago. They have not > been integrated because they modify kernel header and can cause > incompatibility problem with previous version. I have not yet had the > time to correct them. You can pick my patch, correct it and re-post them > to maintainers. > OKie, i'll have a look at this and add my other features. Patching the existing limit, rather than making a new one. -- /Gozem A.K.A. Joakim Axelsson
