Contexts
With PacketShield, context is identified by the destination of an incoming packet.
For each incoming packet, a lookup on available contexts in the instance is performed:
If a context is found (by matching the packet's destination IP and an optional VLAN tag), then the rules of the context will be applied to this packet.
If the packet does not match any context, then the default context Other applies.
Creating an instance automatically creates the default context named Other which contains the policy used for packets which do not match any other created context.
PacketShield currently supports the following context identifiers:
IPv4 address
IPV4 suffixed by the character @ and a VLAN id
Use sysfr entry
You manage a context using the sysfs entry:
/sys/packetshield/<instance name>/contexts.
Create a context
The create operation also creates a new sysfs directory using the context identifier as name in:
/sys/packetshield/<instance name>/<context id>.
A newly created context does not inherit the configuration from the default Other context.
sysfs
Write the context identifier, prefixed by the char +
in the sysfs entry.
Create a context for the IP address 1.2.3.5:
$ echo "+10.2.3.5" > /sys/packetshield/myinst/contexts
Create a context for the IP address 1.2.3.5 in the tagged VLAN 100:
$ echo "+10.2.3.5@100" > /sys/packetshield/myinst/contexts
GUI
Use the statement <instance name>/contexts
followed by the context identifier.
Create a context for the IP address 1.2.3.5:
myinst/contexts 10.2.3.5
Create a context for the IP address 1.2.3.5 in the tagged vlan 100:
myinst/contexts 10.2.3.5@100
Destroy a context
This operation also deletes the sysfs directory /sys/packetshield/<instance name>/<context id>
.
sysfs
Write the context identifier, prefixed by the char -
in the sysfs entry.
Destroy the context for the IP address 1.2.3.5:
$ echo "-10.2.3.5" > /sys/packetshield/myinst/contexts
Destroy the context for the IP address 1.2.3.5 in the tagged VLAN 100:
$ echo "-10.2.3.5@100" > /sys/packetshield/myinst/contexts
GUI
Remove the statement <instance name>/contexts <context id>
that matches the context you want to remove.
List contexts
This function is only available through the CLI.
To list existing contexts, open the contents of the sysfs entry /sys/packetshield/<instance name>/contexts
.
One context identifier is displayed per line.
Although not listed, the context Other exists.
$ cat /sys/packetshield/myinst/contexts
10.2.3.5
10.2.3.5@100
Set options for context
sysfs
Display and set context options using respectively read and write operations on sysfs entries available in the directory /sys/packetshield/<instance name>/<context id>/<option>
GUI
Set context options using the following statement
<instance name>/<context id>/<option>
The GUI can only set the option.
Available options:
| default: 0, means no drop
sysfs example
GUI example
|
| default: ff:ff:ff:ff:ff:ff
sysfs example
GUI example
|
| default: 0-0 means disabled
sysfs example To start sending syn cookies when the incoming rate is above 10000 SYN/s and disable sending when the rate goes below 5000:
GUI example To start sending syn cookies when the incoming rate is above 10000 SYN/s and disable sending when the rate goes below 5000:
|
| default: 0-0 means protection is disabled
sysfs example To start blocking unmatched packets when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
GUI example To start blocking unmatched packets when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
|
| default: 0-0 means protection is disabled
sysfs example To start blocking packets with unknown TTL when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
GUI example To start blocking packets with unknown TTL when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:
|
| default: 0-0 means protection is disabled
sysfs example To enable surge protection when outgoing rate is above 10000 packets/s and disable protection when the rate goes below 5000:
GUI example To enable surge protection when outgoing rate is above 10000 packets/s and disable protection when the rate goes below 5000:
|
| default: 0 means disabled
sysfs example
GUI example
|
Next up
Instances