X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=mbd%2Fmbd.pl;fp=mbd%2Fmbd.pl;h=dcc25fe242e8bd843a1741b0821c9f81c7f4978e;hb=d78bd171f28f56c6f064b22899792aaf3286127c;hp=44dd334a854dbb2a0a561c707b26a5925b9085fe;hpb=7ae11f7618602eef12abc857b7434d26a895d346;p=nms diff --git a/mbd/mbd.pl b/mbd/mbd.pl index 44dd334..dcc25fe 100644 --- a/mbd/mbd.pl +++ b/mbd/mbd.pl @@ -4,6 +4,7 @@ use warnings; use Socket; use Net::CIDR; use Net::RawIP; +use Time::HiRes; require './access_list.pl'; require './nets.pl'; require './mbd.pm'; @@ -16,6 +17,9 @@ sub fhbits { return $bits; } +# used for rate limiting +my %last_sent = (); + my %cidrcache = (); sub cache_cidrlookup { my ($addr, $net) = @_; @@ -71,6 +75,17 @@ while (1) { my ($dport, $daddr) = sockaddr_in(getsockname($sock)); my $size = length($data); + # Rate limiting + my $now = [Time::HiRes::gettimeofday]; + if (exists($last_sent{$saddr}{$dport})) { + my $elapsed = Time::HiRes::tv_interval($last_sent{$saddr}{$dport}, $now); + if ($elapsed < 1.0) { + print LOG "$dport $size 2\n"; + print inet_ntoa($saddr), ", $dport, $size bytes => rate-limited ($elapsed secs since last)\n"; + } + next; + } + # We don't get the packet's destination address, but I guess this should do... # Check against the ACL. my $pass = 0; @@ -89,10 +104,11 @@ while (1) { print LOG "$dport $size $pass\n"; if (!$pass) { - print "$dport, $size bytes => filtered\n"; + print inet_ntoa($saddr), ", $dport, $size bytes => filtered\n"; + next; } - next unless $pass; + $last_sent{$saddr}{$dport} = $now; my $num_nets = 0;