[strongSwan-dev] DoS protection questions

Emeric POUPON emeric.poupon at stormshield.eu
Thu Apr 5 11:16:56 CEST 2018

>> Furthermore, I am afraid we actually queue a lot of jobs (more than one) when
>> the counter is decreased by one.
>> I think it may be the root problem?
> Yes, until the next IKE_SA is checked in packets will be processed.

Do you want that I fill an issue for that?

>> The only visible effect is to set a job limit, but since it is global we could
>> prevent high priority jobs to run properly.
> It's not a limit on the number of jobs, it's a limit that causes
> IKE_SA_INITs to get dropped when the number of jobs exceeds the
> configured number.

Ok, it does the job then.
Thanks again for your answers.



More information about the Dev mailing list