So this rule:
iptables -t NAT -A PREROUTING -p tcp -i eth0 --dport 80 -m hashlimit
--hashlimit 100/second \
--hashlimit-burst 100 --hashlimit-mode dstport --hashlimit-name
"rate limit 80"\
-J REDIRECT --to-port $AbuseServerTriggerAndNotifyPage
Should do the trick..
But as Amos wrote somewhere if I my memory is right about it..
The application level have some benefits..
While external_acl_type is very tempting a eCAP would be the better
choice for performence reasons.
ICAP has the upper hand while allowing concurrency by defalut.
So external_acl_type is nice and helps a lot but it would add some over
blocking... if I remeber right.
I have tried to read the eCAP docs in the past to make something like
the mentioned option avaliable but There is a place for more eCAP
examples for specific tasks to make more people use it.
Who is the expert on eCAP?
Thanks!
Eliezer
On 10/10/2013 12:38 AM, Alex Rousskov wrote:
How hard would it be to add a Forward proxy the option to send an error
>page to a runtime syn\accpet\other limit?
If client usage information is available somewhere, then one can use an
external_acl_type or eCAP/ICAP to block or redirect that client. No new
options are needed.
Cheers,
Alex.