Joakim Axelsson a écrit : > > Why not combining "-s source/mask" and "--limit" ? > > > > Well it stores one credit-integer for each source/net <-> dest/net pair. > Meaning if you get attacked by one net it will only limit packets from that > source net. You don't need to have one rule for each limit. This feature has > been requested by many for long time now.
Ok i understand. The problem with iptable is that it lakes higher level logic: We are not able to combine multiple ACTION like LOG and DROP or doing things like: if match AND over LIMIT -> JUMP1 else JUMP2. To overcome this fact, it's possible to "pairing" modules together like you do. > > Yes, it's a multilpier. The doc need update. > > > > > > Okie. I really like the idee of an absolut value better. Anyone else has > some arguments for this or against it. We should of couse not change the > semantics of --limit-burst now but perhaps add one more option --limit-kickin > or --limit-absolutburst (give me a good name) which is the burst in absolut > value. One for: you didn't depend anymore on another parameter, so it's more flexible. One against: the burst limit should be higher than the average. This last arguments could be removed by checking initialization. kind regards, j. -- Jérôme de Vivie
