Implement rate limiting in mbd, and fix some logging.

[nms] / mbd / mbd.pl

diff --git a/mbd/mbd.pl b/mbd/mbd.pl
index 44dd334a854dbb2a0a561c707b26a5925b9085fe..dcc25fe242e8bd843a1741b0821c9f81c7f4978e 100644 (file)
--- a/mbd/mbd.pl
+++ b/mbd/mbd.pl
@@ -4,6 +4,7 @@ use warnings;
 use Socket;
 use Net::CIDR;
 use Net::RawIP;
+use Time::HiRes;
 require './access_list.pl';
 require './nets.pl';
 require './mbd.pm';
@@ -16,6 +17,9 @@ sub fhbits {
        return $bits;
 }
 
+# used for rate limiting
+my %last_sent = ();
+
 my %cidrcache = ();
 sub cache_cidrlookup {
        my ($addr, $net) = @_;
@@ -71,6 +75,17 @@ while (1) {
                my ($dport, $daddr) = sockaddr_in(getsockname($sock));
                my $size = length($data);
 
+               # Rate limiting
+               my $now = [Time::HiRes::gettimeofday];
+               if (exists($last_sent{$saddr}{$dport})) {
+                       my $elapsed = Time::HiRes::tv_interval($last_sent{$saddr}{$dport}, $now);
+                       if ($elapsed < 1.0) {
+                               print LOG "$dport $size 2\n";
+                               print inet_ntoa($saddr), ", $dport, $size bytes => rate-limited ($elapsed secs since last)\n";
+                       }
+                       next;
+               }
+
                # We don't get the packet's destination address, but I guess this should do...
                # Check against the ACL.
                my $pass = 0;
@@ -89,10 +104,11 @@ while (1) {
                print LOG "$dport $size $pass\n";
 
                if (!$pass) {
-                       print "$dport, $size bytes => filtered\n";
+                       print inet_ntoa($saddr), ", $dport, $size bytes => filtered\n";
+                       next;
                }
 
-               next unless $pass;
+               $last_sent{$saddr}{$dport} = $now;
 
                my $num_nets = 0;