more DoS prevention: add packet_limit option to apply a hard limit to downstream packets per session

2005-01-10 07:17:37 +00:00 · 2005-01-10 07:17:37 +00:00 · 4d76778200
commit 4d76778200
parent ef828aaac5
7 changed files with 79 additions and 17 deletions
--- a/l2tpns.h
+++ b/l2tpns.h
@ -1,5 +1,5 @@
 // L2TPNS Global Stuff
-// $Id: l2tpns.h,v 1.51 2005-01-07 07:17:13 bodea Exp $
+// $Id: l2tpns.h,v 1.52 2005-01-10 07:17:37 bodea Exp $

 #ifndef __L2TPNS_H__
 #define __L2TPNS_H__
@ -228,8 +228,14 @@ sessiont;

 typedef struct
 {
+	// byte counters
 	uint32_t cin;
 	uint32_t cout;
+
+	// DoS prevention
+	clockt last_packet_out;
+	uint32_t packets_out;
+	uint32_t packets_dropped;
 } sessioncountt;

 #define	SESSIONPFC	1	// PFC negotiated flags
@ -333,6 +339,7 @@ struct Tstats
    uint32_t	tun_tx_bytes;
    uint32_t	tun_rx_errors;
    uint32_t	tun_tx_errors;
+    uint32_t	tun_rx_dropped;

    uint32_t	tunnel_rx_packets;
    uint32_t	tunnel_tx_packets;
@ -470,7 +477,8 @@ typedef struct
 	int		next_tbf;			// Next HTB id available to use
 	int		scheduler_fifo;			// If the system has multiple CPUs, use FIFO scheduling policy for this process.
 	int		lock_pages;			// Lock pages into memory.
-	int		icmp_rate;			// Max number of ICMP unreachable per second to send>
+	int		icmp_rate;			// Max number of ICMP unreachable per second to send
+	int		max_packets;			// DoS prevention: per session limit of packets/0.1s

 	in_addr_t	cluster_address;		// Multicast address of cluster.
 							// Send to this address to have everyone hear.