Eric Dumazet wrote: > Le dimanche 28 février 2010 à 11:23 -0700, Tim Gardner a écrit : >> I realize there are manual methods for removing entries, but I argue >> that manual methods are insufficient in a dynamic environment. >> >> Let me explain one of my use cases. One of the companies that I work for >> is an ISP. Our primary bridge/firewall uses iptables as a first line of >> defense. One of the methods to detect attackers is by using a port scan >> detection filter (PSD), which is a bit memory and CPU intensive. Once >> PSD identifies an attacker, then that source IP is added to a 'recent' >> filter instance with an X second timeout, and the PSD entry flushes >> after some timeout. 'recent' continues to block _all_ traffic from that >> source IP until it stops sending packets for at least X seconds, at >> which time I would like 'recent' to release the entry. >> >> Here is a rule snippet that implements this behavior: >> >> IRAW="iptables -t raw" >> $IRAW -N DROPIP >> $IRAW -A PREROUTING -m recent --name psd --update --seconds 3600 -j DROP >> $IRAW -A PREROUTING -m psd --update --seconds 600 -J DROPIP >> $IRAW -A DROPIP -m recent --name psd --set -j DROP >> >> As long as '-m recent --name psd --update --seconds 3600' drops entries >> older then 3600 seconds, then nothing external is required to recover >> those entries. >> >> As for your fast path comment, how about scaling the frequency with >> which the reaper is run using a module parameter ? See attached patch. >> >> rtg > > OK but as pointed by Jan Engelhardt, same table can be used with > different matches and different delays, so your patch is not good. You > should add a parameter (--reap or some flag) to iptables rule to ask for > this reap, and not let it happen in general case. > > iptables -A ... -m recent --name foo --seconds 60 -j DOTHAT > iptables -A ... -m recent --name foo --seconds 3600 --reap -j ELSE > > Also, I am convinced your reap pointer is not good, because it can point > to an entry that is renewed once per second for example, and reaper will > be frozen. > > You should use lru_list.next only, because this one is guaranted to > point to the oldest entry in table > > You are right about the reaper pointer. I'd forgotten that the LRU list was already sorted oldest to newest. Doh! I've cleaned that up some. This version adds the '--reap' flag and only looks at the head of the LRU list once per ip_reaper_freq packets. I also added a check that makes sure --rttl and --reap modify only the --rcheck and --update options. rtg -- Tim Gardner timg@tpi.com www.tpi.com OR 503-601-0234 x102 MT 406-443-5357