On Wed, Apr 30, 2014 at 6:02 PM, bycn82 <byc...@gmail.com> wrote: > >> fjwc...@gmail.com <mailto:fjwc...@gmail.com> >> > Thanks for your reply, and it is good to know the sysctl for ICMP. > > finally it works.I just added a new `action` in firewall and it is called > `pps`, that means it can be generic purpose while the > net.inet.icmp.icmplim is only for ICMP traffic. > > the usage will be like below > > root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any* > 00100 pps 1 icmp from any to any > root@F10:/usr/src/sbin/ipfw # ./ipfw show > 00100 9 540 pps 1 icmp from any to any > 65535 13319 1958894 allow ip from any to any > root@F10:/usr/src/sbin/ipfw # > > hi, as julian said it would be great if you would like to share your code so we can integrate it in future ipfw releases. Once again citing Julian, dummynet is a bit of a superset of pps but not exactly, so i see value in the additional feature.
One thing to keep in mind in the implementation: the burst size used for limiting is an important parameter that everyone forgets. 1 pps is basically "don't bother me". 1000 pps could be "1000 packets every fixed 1-sec interval" or "1 packet every ms" or (this is more difficult) "20 pkt in the last 50ms interval". If i were to implement the feature i would add two parameters (burst, I_max) with reasonable defaults and compute the internal interval and max_count as follows if (burst > max_pps * I_max) burst = max_pps * I_max; // make sure it is not too large else if (burst < max_pps / HZ) burst = max_pps * HZ; // nor too small max_count = max_pps / burst; interval = HZ * burst / max_pps; count = 0; // actual counter then add { max_count, interval, timestamp, count } to the rule descriptor. On incoming packets: if (ticks >= r->interval + r->timestamp) { r->timestamp = r->ticks; r->count = 1; return ACCEPT; } if (r->count > r->max_count) return DENY; r->count++; return ACCEPT; cheers luigi _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"