Giorgos Keramidas wrote: > I've been thinking for quite some time to add per-client-IP limiting > to ftpd, and I had almost decided upon something like the following, > where each child of ftpd has two numbers associated with it. The > client IP address, and the PID of the ftpd child that serves it. The > hash at the beginning of the lists serves as a minor assistance in > splitting the 2^32 address space in smaller chunks so that we don't > end up with a singly linked list of a few thousand entries.
Someone just did something similar for inetd (per IP per port). The more I think about this, and the fact that there is code growing to do basically the same thing in every program, the more I think that the code to do this needs to be centralized. I would prefer a divert to an administrative daemon approach, using ipfw rules and exisitng code. You could also do it in the kernel, or you could do it by adding a wrapper library for "accept" and "close", where the accounting on connections can be enforced. Putting this code into a seperate daemon, or even natd, makes a lot more sense to me than hacking up the kernel, or every network application ever written. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
