Christian Ro??ner:
> > Am 13.09.2016 um 18:09 schrieb Wietse Venema <[email protected]>:
> >
> > Christian Ro??ner:
> >> Is there some chance that postscreen could be extended to also have
> >> "defer"?
> >
> > That is a good question, but you might want to ask that in a thread
> > that isn't about socketmaps.
>
> You are totally right. I created a new thread for this.
>
> The idea is to give postscreen a "defer" option. At connect time,
> dynamic services can work with the IP address of a connecting
> client. In some cases, this can result in whitelisting, blacklisting
> or no decision. But a fourth decision: "defer" might be interesting
> in cases, where the risk of a false-positive decision is too big.
>
> Having this in postscreen reduces load on external DNS queries,
> if you also use dnsblog.
Unlike DNS lookups, the access map lookup is a blocking operation,
and if your tcp map takes 80ms to complete (a typical trans-atlantic
query), then you can handle only 12 connections per second, and
make postsceen the largest performance bottleneck on the system.
Wietse
