search

gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
545 stars 92 forks source link

Ratelimit connections per second #8

Open OpenSource03 opened 2 years ago

OpenSource03 commented 2 years ago

Hello!

Would it be possible to add a feature to rate-limit connections per second per IP address?

gamemann commented 2 years ago

Hey!

There are currently PPS (packets per second) and BPS (bytes per second) options you can use within a filter rule. When a source IP exceeds the limits set within the filter rule, the packet will be dropped and if the block time is above 0, it will continue to drop all packets from that source IP for x seconds (the block time set).

If you're referring to TCP connections, the firewall is completely stateless at the moment and implementing TCP connections support would take time in XDP since you'd have to keep track of the TCP state of each connection in a separate BPF map (I have done it before, but that was for a private project). I may do it in the future, but I'm not sure yet.

I hope the above helps!

OpenSource03 commented 2 years ago

Hi,

thanks for your reply. I hope you'd be able to implement such an option and continue working on this amazing project. While it may not seem that popular at the moment, I indeed see great potential with it. There's no proper XDP based firewall anywhere on the internet.

Regards

pettai commented 11 months ago

Ratellmit (or rather "police") ICMP, UDP or TCP SYN (+other flags) per Source IP would be a great improvement in it self, I guess there isn't any counting per src ip today ?