[Swan-dev] attack_log()
Antony Antony
antony at phenome.org
Mon Feb 26 09:31:53 UTC 2018
On Sun, Feb 25, 2018 at 05:29:50PM -0500, Andrew Cagney wrote:
> I'm looking at code like this (and copying it, adding more cases):
>
> /* could this be a log line instead?
> too much log with scans */
> DBG(DBG_CONTROL,
> DBG_log("IKE SA initiator received
> a message with I(Initiator) flag set; dropping packet"));
>
> but wonder if a better solution would be to code up something like:
>
> attack_log(...)
static struct { hour; int nr;} rate_limit_flag;
time current_hour;
if (rate_limit_flag.nr++ > 1000 &&
rate_limit_flag.hour == current_hour) {
DBG(DBG_MASK, DBG_log(..., falag_rate_limit.hour))
else
libreswan_log(...., rate_limit_flag.nr)
if (falag_rate_limit.hour == current_hour")
falag_rate_limit.hour = current_hour;
> that is, start out logging these packets like all others but, when
> some completely arbitrary threshold is crossed, go silent unless debug
> logging is enabled.
>
> thoughts,
One thought is log N times per interval, say per hour.
Also log the actual count, nr as part of the log line.
Otherwise a long running pluto will not log anything useful, after the first 1000.
Also if it only log first N enetries. A better name long_first_N.
More information about the Swan-dev
mailing list