Re: feature of `packet per second`

Sat, 03 May 2014 05:28:17 -0700 

On 5/2/14 16:59, Luigi Rizzo wrote:





On Wed, Apr 30, 2014 at 6:02 PM, bycn82 <byc...@gmail.com 
<mailto:byc...@gmail.com>> wrote:



        fjwc...@gmail.com <mailto:fjwc...@gmail.com>
        <mailto:fjwc...@gmail.com <mailto:fjwc...@gmail.com>>

    Thanks for your reply,  and it is good to know the sysctl for ICMP.

    finally it works.I just added a new `action` in firewall and it is
    called `pps`,  that means it can be generic purpose while the
    net.inet.icmp.icmplim is only for ICMP traffic.

    the usage will be like below

    root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*
    00100 pps 1 icmp from any to any
    root@F10:/usr/src/sbin/ipfw # ./ipfw show
    00100     9     540 pps 1 icmp from any to any
    65535 13319 1958894 allow ip from any to any
    root@F10:/usr/src/sbin/ipfw #


​hi,
as julian said it would be great if you would like to share your code
so we can integrate it in future ipfw releases.
Once again citing Julian, dummynet is a bit of a superset of pps but
not exactly, so i see value in the additional feature.

One thing  ​to keep in mind in the implementation:

the burst size used for limiting is an important parameter that
everyone forgets. 1 pps is basically "don't bother me".
1000 pps could be "1000 packets every fixed 1-sec interval"
or "1 packet every ms" or (this is more difficult)
"20 pkt in the last 50ms interval".

If i were to implement the feature i would add two parameters
(burst, I_max) with reasonable defaults and compute the internal
interval and max_count as follows
   if (burst > max_pps * I_max)
       burst = max_pps * I_max; // make sure it is not too large
   else if (burst < max_pps / HZ)
       burst = max_pps * HZ;    // nor too small
   max_count = max_pps / burst;
   interval = HZ * burst / max_pps;
   count = 0; // actual counter

then add { max_count, interval, timestamp, count } to the rule descriptor.
On incoming packets:

   if (ticks >= r->interval + r->timestamp) {
       r->timestamp = r->ticks;
       r->count = 1;
       return ACCEPT;
   }
   if (r->count > r->max_count)
       return DENY;
   r->count++;
   return ACCEPT;

cheers
luigi


Hi Luigi,

You are right, it will be more generic if provide two parameters as you 
described,
But this PPS feature should not be used to control the traffic rate, the 
dummynet you provided is the correct way.

So I am thinking in what kind of scenario, people need this PPS feature?

in my opinion, people will use PPS only when they want to limit the 
connections/transactions numbers. ( already have limit command to limit 
the connections)
So I think provide a simple PPS feature is good enough, and we can 
improve it if someone complaint on this.


bycn82

_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"





















					Reply via email to