[Swan-dev] attack_log()

[Antony Antony]

On Sun, Feb 25, 2018 at 05:29:50PM -0500, Andrew Cagney wrote:
> I'm looking at code like this (and copying it, adding more cases):
> 
>                                /* could this be a log line instead?
> too much log with scans */
>                                 DBG(DBG_CONTROL,
>                                     DBG_log("IKE SA initiator received
> a message with I(Initiator) flag set; dropping packet"));
> 
> but wonder if a better solution would be to code up something like:
> 
>     attack_log(...)
	static struct  { hour; int nr;} rate_limit_flag;
	time current_hour;
        if (rate_limit_flag.nr++ > 1000 &&
	  rate_limit_flag.hour == current_hour) {
             DBG(DBG_MASK, DBG_log(..., falag_rate_limit.hour))
       else
             libreswan_log(...., rate_limit_flag.nr)
 
	if (falag_rate_limit.hour == current_hour")
		falag_rate_limit.hour = current_hour;

> that is, start out logging these packets like all others but, when
> some completely arbitrary threshold is crossed, go silent unless debug
> logging is enabled.
> 
> thoughts,

One thought is log N times per interval, say per hour.
Also log the actual count, nr as part of the  log line. 

Otherwise a long running pluto will not log anything useful, after the first 1000.

Also if it only log first N enetries. A better name long_first_N.