[DOS] Service reconfiguration logic doesn't take flapping into account

[Wolfspyre]

Howdy all!

Due to an unrelated issue discussed in another thread,
(In 24.7beta my where Standby fw and active fw no longer recognize each other's existence... )
I currently have my standby soft powered off.

HOWEVER, my standby seems to keep wanting to flap its heartbeat link.

(which is annoying, and outside the scope of opnsense, however it does bring a related problem to light...)

Several services are configured to re-jiggle themselves upon interface activation change....

HOWEVER, there doesn't appear to be any sort of 'flapping' logic to prevent a wobbly interface from causing secondary problems.

I'd think it reasonable for opnsense to implement some sort of guard around service state change, such that if an interface is wobbling and flapping often enough that re-running the 'OH! A NIC CHANGED STATE! I SHOULD DO A THING!' is essentially DOS's itself..

some sort of 'cooldown' timer, wherein the system wants to avoid restarting services or responding to state change due to $specific-hardware....  might be helpful?

perhaps with an incremental backoff, such that if interfaceX keeps flapping, after N times, its flaps will be ignored more and more of the time...

"interface flapping detected on wobblingNic0.... ongoing since .... Delaying actions for ($timer*wobblerate) for wobbling to settle" 
sort of thing...

Associating a backoff timer per device, along with a systemic timer, may be a valuable way to penalize the wobbler the most, whilst still responding timely to other random events that may occur.
(it's not nic5's fault that nic0 is wobbling)

granted, this isn't a problem that opnsense can CONTROL.

HOWEVER, OPNsense **CAN** control how it responds... and in the case of a badly behaving interface, I believe OPNsense may benefit from a bit more 'protect system stability in response to unforseen upstream events' robustification

Thoughts?