The 'FUP' thread[1] had me thinking a bit about the problem the original
poster presented, and what I ended up with was ideas for two possibly
desirable PF features.
Fine grained bandwidth control via HFSC queues was suggested. I'm
sure HFSC is a fine algorithm, but I am almost sure it is wrong for
what the OP in that thread wanted. HFSC is a very complicated beast,
and while I think I understand it in general terms, I'm not at all
sure I would be able to predict the results in all cases, or for that
matter explain what happens under a HFSC regime to a user.
I think what the OP was after and what might possibly be a useful
addition to PF's feature set is a variant of overload rules, based on
bandwidth consumed or amount of data transferred. I imagine a rule
like
pass from $localnet to any port www queue www \
(max-transfer 4MB/2s overload <doghouse> flush global)
assuming for the sake of argument that other parts of the config
contains the necessary queue declarations and a different pass rule
which occasionally lets traffic from the <doghouse> inhabitants
through on a tiny portion of available pipe.
It would take actually tracking the number of bytes transferred per IP
address or connection, and I have only the haziest idea of how much
heavy lifting and pain in general would come out of actually trying to
implement something like this. However if one or more of the relevant
developers think it's a good idea, something like this might magically
appear in an upcoming release, if not necessarily 4.1.
The OTHER feature I thought of, since we're dealing with tables, is to
have a way to declare tables with expire time for its entries. We
have expiretable for that, but I for one would find it convenient to
be able to declare a table such as
table <bruteforce> persist expire 24h
meaning that table entries are removed when they have not been
referenced during the last 24 hours.
Oh well, it's late already. But it would be nice to hear any thoughts
on this, including "shoot this down, quick!"
[1] http://marc.theaimsgroup.com/?l=openbsd-pf&m=116808871830284&w=2
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
