Am 24.06.22 um 12:26 schrieb Gert Doering:
Hi,
On Fri, Jun 24, 2022 at 11:13:40AM +0200, Antonio Quartulli wrote:
do we still need this patch after having merged Arne's HMAC feature?
Yes and no.
*This* patch won't apply anymore, but Arne said "we're now much faster
in replying to packets than ever before" so we might indeed need a
per-source-ip rate-limiter, to something like "10 per 10 seconds" or
so (inventing arbitrary number that should be more than enough even
for "5 users behind the same NAT reconnect at the same time", while
at the same time too low to cause harm as a reflector) for the
initial reply.
Yeah. Keeping a per IP table is adding a lot of state to manage that.
Maybe instead to a (configurable) overall limit like 100/s?
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
