On 5/2/14 16:59, Luigi Rizzo wrote:
On Wed, Apr 30, 2014 at 6:02 PM, bycn82 <byc...@gmail.com
<mailto:byc...@gmail.com>> wrote:
fjwc...@gmail.com <mailto:fjwc...@gmail.com>
<mailto:fjwc...@gmail.com <mailto:fjwc...@gmail.com>>
Thanks for your reply, and it is good to know the sysctl for ICMP.
finally it works.I just added a new `action` in firewall and it is
called `pps`, that means it can be generic purpose while the
net.inet.icmp.icmplim is only for ICMP traffic.
the usage will be like below
root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*
00100 pps 1 icmp from any to any
root@F10:/usr/src/sbin/ipfw # ./ipfw show
00100 9 540 pps 1 icmp from any to any
65535 13319 1958894 allow ip from any to any
root@F10:/usr/src/sbin/ipfw #
hi,
as julian said it would be great if you would like to share your code
so we can integrate it in future ipfw releases.
Once again citing Julian, dummynet is a bit of a superset of pps but
not exactly, so i see value in the additional feature.
One thing to keep in mind in the implementation:
the burst size used for limiting is an important parameter that
everyone forgets. 1 pps is basically "don't bother me".
1000 pps could be "1000 packets every fixed 1-sec interval"
or "1 packet every ms" or (this is more difficult)
"20 pkt in the last 50ms interval".
If i were to implement the feature i would add two parameters
(burst, I_max) with reasonable defaults and compute the internal
interval and max_count as follows
if (burst > max_pps * I_max)
burst = max_pps * I_max; // make sure it is not too large
else if (burst < max_pps / HZ)
burst = max_pps * HZ; // nor too small
max_count = max_pps / burst;
interval = HZ * burst / max_pps;
count = 0; // actual counter
then add { max_count, interval, timestamp, count } to the rule descriptor.
On incoming packets:
if (ticks >= r->interval + r->timestamp) {
r->timestamp = r->ticks;
r->count = 1;
return ACCEPT;
}
if (r->count > r->max_count)
return DENY;
r->count++;
return ACCEPT;
cheers
luigi
Hi Luigi,
You are right, it will be more generic if provide two parameters as you
described,
But this PPS feature should not be used to control the traffic rate, the
dummynet you provided is the correct way.
So I am thinking in what kind of scenario, people need this PPS feature?
in my opinion, people will use PPS only when they want to limit the
connections/transactions numbers. ( already have limit command to limit
the connections)
So I think provide a simple PPS feature is good enough, and we can
improve it if someone complaint on this.
bycn82
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"