pf integration: route labels

BGP info + pf: very very powerful
allow no more than 10000 hosts at DTAG connect to $server
    pass from route DTAG to $server \ 
      keep state(max-src-nodes 10000)
each of them must not have more than 10 state table entries
    pass from route DTAG to $server \ 
      keep state(max-src-nodes 10000, max-src-states 10)
limit each single host within DTAG to 10 tcp connections with completed 3way handshake
    pass from route DTAG to $server \ 
      keep state(max-src-conn 10)
fight DDoS: block every host that does more than 10 complete 3whs per 10 seconds
    table <attackers> persist
    block in quick from table <attackers>
    pass from route DTAG \ 
      keep state(max-src-conn-rate 10/10 \ 
      overload <attackers> flush global)