On Wed, Apr 30, 2014 at 6:02 PM, bycn82 <byc...@gmail.com> wrote:
>
>> fjwc...@gmail.com <mailto:fjwc...@gmail.com>
>>
> Thanks for your reply, and it is good to know the sysctl for ICMP.
>
> finally it works.I just added a new `action` in firewall and it is called
> `pps`, that means it can be generic purpose while the
> net.inet.icmp.icmplim is only for ICMP traffic.
>
> the usage will be like below
>
> root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*
> 00100 pps 1 icmp from any to any
> root@F10:/usr/src/sbin/ipfw # ./ipfw show
> 00100 9 540 pps 1 icmp from any to any
> 65535 13319 1958894 allow ip from any to any
> root@F10:/usr/src/sbin/ipfw #
>
>
hi,
as julian said it would be great if you would like to share your code
so we can integrate it in future ipfw releases.
Once again citing Julian, dummynet is a bit of a superset of pps but
not exactly, so i see value in the additional feature.
One thing to keep in mind in the implementation:
the burst size used for limiting is an important parameter that
everyone forgets. 1 pps is basically "don't bother me".
1000 pps could be "1000 packets every fixed 1-sec interval"
or "1 packet every ms" or (this is more difficult)
"20 pkt in the last 50ms interval".
If i were to implement the feature i would add two parameters
(burst, I_max) with reasonable defaults and compute the internal
interval and max_count as follows
if (burst > max_pps * I_max)
burst = max_pps * I_max; // make sure it is not too large
else if (burst < max_pps / HZ)
burst = max_pps * HZ; // nor too small
max_count = max_pps / burst;
interval = HZ * burst / max_pps;
count = 0; // actual counter
then add { max_count, interval, timestamp, count } to the rule descriptor.
On incoming packets:
if (ticks >= r->interval + r->timestamp) {
r->timestamp = r->ticks;
r->count = 1;
return ACCEPT;
}
if (r->count > r->max_count)
return DENY;
r->count++;
return ACCEPT;
cheers
luigi
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
