XDP-Firewall icon indicating copy to clipboard operation
XDP-Firewall copied to clipboard
verified publisher icon gamemann

Ratelimit connections per second

Open OpenSource03 opened this issue 4 years ago • 3 comments

Hello!

Would it be possible to add a feature to rate-limit connections per second per IP address?

OpenSource03 avatar Nov 17 '21 10:11 OpenSource03

Hey!

There are currently PPS (packets per second) and BPS (bytes per second) options you can use within a filter rule. When a source IP exceeds the limits set within the filter rule, the packet will be dropped and if the block time is above 0, it will continue to drop all packets from that source IP for x seconds (the block time set).

If you're referring to TCP connections, the firewall is completely stateless at the moment and implementing TCP connections support would take time in XDP since you'd have to keep track of the TCP state of each connection in a separate BPF map (I have done it before, but that was for a private project). I may do it in the future, but I'm not sure yet.

I hope the above helps!

gamemann avatar Nov 19 '21 18:11 gamemann

Hi,

thanks for your reply. I hope you'd be able to implement such an option and continue working on this amazing project. While it may not seem that popular at the moment, I indeed see great potential with it. There's no proper XDP based firewall anywhere on the internet.

Regards

OpenSource03 avatar Nov 20 '21 09:11 OpenSource03

Ratellmit (or rather "police") ICMP, UDP or TCP SYN (+other flags) per Source IP would be a great improvement in it self, I guess there isn't any counting per src ip today ?

pettai avatar Oct 25 '23 14:10 pettai