Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Jun 2002 06:41:10 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        Giorgos Keramidas <keramida@FreeBSD.org>
Cc:        Terry Lambert <tlambert2@mindspring.com>, hackers@FreeBSD.org
Subject:   Re: Limiting clients per source IP address (ftpd, inetd, etc.)
Message-ID:  <20020621064110.A79754@iguana.icir.org>
In-Reply-To: <20020621133626.GC2476@hades.hell.gr>; from keramida@FreeBSD.org on Fri, Jun 21, 2002 at 04:36:26PM %2B0300
References:  <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com> <20020620222032.A73450@iguana.icir.org> <3D12CE82.C6761D96@mindspring.com> <20020621003518.A77089@iguana.icir.org> <20020621133626.GC2476@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Jun 21, 2002 at 04:36:26PM +0300, Giorgos Keramidas wrote:
...
> > BTW in terms of implementation efficiency: this limit thing
> > uses the same hash table used by dynamic ipfw rules.
> > There is currently an (arbitrary) limit of a total of 1000
> > dynamic entries in the table, but no reason not to raise it
> > much higher if you have memory.
> 
> The main reason I was looking for a userland implementation of this
> was that adding limiting to an FTP server that has an active number of
> a few thousand connections might be a little resource intensive to the
> kernel of the machine.  It's probably OK to stay a bit to much within
> a userland function that searches a hash/list of addresses, but doing
> this in the kernel, is something I can't say I fully understand yet.
> 
> I'm not familiar with the ipfw code.  Would it be possible to limit
> the connections based on source address for a machine that has a few
> thousand connections and still not put a heavy load on the kernel?

i'd say yes, as long as you make the hash table size
and number of buckets large enough. Both are configurable
via sysctl variables:

    net.inet.ip.fw.dyn_buckets: 256
    net.inet.ip.fw.dyn_max: 1000

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020621064110.A79754>