On Sunday 2010-02-28 19:23, Tim Gardner wrote: > >Let me explain one of my use cases. One of the companies that I work for >is an ISP. Our primary bridge/firewall uses iptables as a first line of >defense. One of the methods to detect attackers is by using a port scan >detection filter (PSD), which is a bit memory and CPU intensive. Once >PSD identifies an attacker, then that source IP is added to a 'recent' >filter instance with an X second timeout, and the PSD entry flushes >after some timeout. 'recent' continues to block _all_ traffic from that >source IP until it stops sending packets for at least X seconds, at >which time I would like 'recent' to release the entry. > >As for your fast path comment, how about scaling the frequency with >which the reaper is run using a module parameter ? See attached patch. That won't work as I posted earlier today ( http://marc.info/?l=netfilter&m=126735427707917&w=2 ) and the patch pretty much breaks xt_recent by purging entries too early. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
