[LEDE-DEV] firewall: flood protection feature
Alin Năstac
alin.nastac at gmail.com
Fri May 19 22:38:24 PDT 2017
Hi Jo,
I need to add flood protection feature to firewall.
The ratelimit section parameters would be: proto, src_port, dest_port,
family, global_limit, global_burst, per_srcip_limit, per_srcip_burst,
per_srcip_mask, per_srcip_buckets. These rules will have effect on a
raw table user chain called ratelimits, linked with PREROUTING chain
and populated with rules such as these:
iptables -t raw -A ratelimits -p ... -m hashlimit --hashlimit-mode
srcip --hashlimit-name <name derived from section name>
--hashlimit-above <per_srcip_limit>/second --hashlimit-burst
<per_srcip_burst> --hashlimit-htable-size <per_srcip_buckets> -j DROP
iptables -t raw -A ratelimits -p ... -m limit --limit
<global_limit>/second --limit-burst <global_burst> -j RETURN
iptables -t raw -A ratelimits -p ... -j DROP
Would you be interested in such feature? If the answer is yes I will
prepare a firewall patch, otherwise I will have to implement it in the
form of a firewall script.
Cheers,
Alin
More information about the Lede-dev
mailing list