Date: Fri, 2 May 2014 10:59:03 +0200 From: Luigi Rizzo <rizzo@iet.unipi.it> To: bycn82 <bycn82@gmail.com> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, Freddie Cash <fjwcash@gmail.com> Subject: Re: feature of `packet per second` Message-ID: <CA%2BhQ2%2BhjjS=AXVdnaEdFOKY1DqiLuX9iP0gy3wo6FbwnEdq_Qw@mail.gmail.com> In-Reply-To: <53611EB1.4000406@gmail.com> References: <5360F1F4.9060808@gmail.com> <5361105C.1040203@freebsd.org> <53611738.8010103@gmail.com> <CAOjFWZ4zRUmcjG-r--OqoGEWcSZoWhtTykgAAHzCjoEWsMVS9g@mail.gmail.com> <53611EB1.4000406@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 30, 2014 at 6:02 PM, bycn82 <bycn82@gmail.com> wrote:
>
>> fjwcash@gmail.com <mailto:fjwcash@gmail.com>
>>
> Thanks for your reply, and it is good to know the sysctl for ICMP.
>
> finally it works.I just added a new `action` in firewall and it is called
> `pps`, that means it can be generic purpose while the
> net.inet.icmp.icmplim is only for ICMP traffic.
>
> the usage will be like below
>
> root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*
> 00100 pps 1 icmp from any to any
> root@F10:/usr/src/sbin/ipfw # ./ipfw show
> 00100 9 540 pps 1 icmp from any to any
> 65535 13319 1958894 allow ip from any to any
> root@F10:/usr/src/sbin/ipfw #
>
>
=E2=80=8Bhi,
as julian said it would be great if you would like to share your code
so we can integrate it in future ipfw releases.
Once again citing Julian, dummynet is a bit of a superset of pps but
not exactly, so i see value in the additional feature.
One thing =E2=80=8Bto keep in mind in the implementation:
the burst size used for limiting is an important parameter that
everyone forgets. 1 pps is basically "don't bother me".
1000 pps could be "1000 packets every fixed 1-sec interval"
or "1 packet every ms" or (this is more difficult)
"20 pkt in the last 50ms interval".
If i were to implement the feature i would add two parameters
(burst, I_max) with reasonable defaults and compute the internal
interval and max_count as follows
if (burst > max_pps * I_max)
burst =3D max_pps * I_max; // make sure it is not too large
else if (burst < max_pps / HZ)
burst =3D max_pps * HZ; // nor too small
max_count =3D max_pps / burst;
interval =3D HZ * burst / max_pps;
count =3D 0; // actual counter
then add { max_count, interval, timestamp, count } to the rule descriptor.
On incoming packets:
if (ticks >=3D r->interval + r->timestamp) {
r->timestamp =3D r->ticks;
r->count =3D 1;
return ACCEPT;
}
if (r->count > r->max_count)
return DENY;
r->count++;
return ACCEPT;
cheers
luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BhQ2%2BhjjS=AXVdnaEdFOKY1DqiLuX9iP0gy3wo6FbwnEdq_Qw>