comparison mod_firewall/README.markdown @ 2370:5fe483b73fd2

mod_firewall: Rate limiting: Document 'entries' and add option to allow overflowing when full
author Matthew Wild <mwild1@gmail.com>
date Tue, 15 Nov 2016 21:55:12 +0000
parents 2fb11d34087e
children 7ad312b4cefe
comparison
equal deleted inserted replaced
2369:2fb11d34087e 2370:5fe483b73fd2
299 You can use the 'on' keyword for this, like so: 299 You can use the 'on' keyword for this, like so:
300 300
301 LIMIT: normal on EXPRESSION 301 LIMIT: normal on EXPRESSION
302 302
303 For more information on expressions, see the section later in this document. 303 For more information on expressions, see the section later in this document.
304
305 Each value of 'EXPRESSION' has to be tracked individually in a table, which uses a small amount of memory. To prevent
306 memory exhaustion, the number of tracked values is limited to 1000 by default. You can override this by setting the
307 maximum number of table entries when you define the rate:
308
309 %RATE normal: 2 (burst 3) (entries 4096)
310
311 Old values are automatically removed from the tracking table. However if the tracking table becomes full, new entries
312 will be rejected - it will behave as if the rate limit was reached, even for values that have not been seen before. Since
313 this opens up a potential denial of service (innocent users may be affected if malicious users can fill up the tracking
314 table within the limit period). You can choose to instead "fail open", and allow the rate limit to be temporarily bypassed
315 when the table is full. To choose this behaviour, add `(allow overflow)` to the RATE definition.
304 316
305 ### Session marking 317 ### Session marking
306 318
307 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the 319 It is possible to 'mark' sessions (see the MARK_ORIGIN action below). To match stanzas from marked sessions, use the
308 `ORIGIN_MARKED` condition. 320 `ORIGIN_MARKED` condition.