From a188f54944e56c7588f7ebbabbef3cee19686575 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 23 Jul 2011 11:18:26 +0100
Subject: [PATCH] functions.m4: Rate-limit rejections on error chains.

This reduces our workload under attack, without severely affecting
diagnostic capability.
---
 functions.m4 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/functions.m4 b/functions.m4
index 5cc70f8..b2e3cb6 100644
--- a/functions.m4
+++ b/functions.m4
@@ -104,7 +104,9 @@ errorchain () {
   run ip46tables -t $table -A $chain -j LOG \
 	  -m limit --limit 3/minute --limit-burst 10 \
 	  --log-prefix "fw: $chain " --log-level notice
-  run ip46tables -t $table -A $chain -j "$@"
+  run ip46tables -t $table -A $chain -j "$@" \
+	  -m limit --limit 20/second --limit-burst 100
+  run ip46tables -t $table -A $chain -j DROP
 }
 
 m4_divert(24)m4_dnl
-- 
2.11.0