[LEDE-DEV] firewall: flood protection feature
Alin Năstac
alin.nastac at gmail.com
Mon May 22 00:29:51 PDT 2017
Hi Jo,
On Mon, May 22, 2017 at 9:17 AM, Jo-Philipp Wich <jo at mein.io> wrote:
> wouldn't it be simpler to introduce hashlimit support for ordinary rules
> instead?
>
> Is there a particular reason for a separate chain and a separate section
> type?
The goal is to protect against a denial of service. The device I'm
working with can handle a limited number of packets per second when
hardware acceleration forwarding is not used and flooding it with
packets can cut off access to device services running on top of IP
host (e.g. dropbear).
You can't do it in ordinary rules because their parameters have impact
only on the initial packet of the conntrack as they're added after "-m
conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" rule.
More information about the Lede-dev
mailing list