Date: Sun, 18 Jul 1999 15:21:04 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Cc: net@FreeBSD.ORG Subject: Re: pipes Message-ID: <199907181321.PAA18272@labinfo.iet.unipi.it> In-Reply-To: <xzpyagem4e1.fsf@flood.ping.uio.no> from "Dag-Erling Smorgrav" at Jul 18, 99 04:14:11 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> Next, let's add a pipe to limit incoming SYNs to 2 kBps: ... and here you hit a bug in ipfw processing, where k (lowercase) is not recognised and silently ignored, you need K (capital). in your case you have a nice pipe serving 2 bits per second -- basically a morse channel or slower! ... > Then I run my flooder again for a short while and observe: > > root@efnet ~# ipfw -a l 10 20 > 00010 46 2188 pipe 1 tcp from any to any in setup > 00020 0 0 allow tcp from any to any 6666,6667 in setup > root@efnet ~# ipfw pipe list 1 > 00001: 2.000 bit/s 0 ms 50 sl. -- 49 pkts (2332 B) 29 drops > > So the pipe claims to have blocked only 29 out of 49 packets, but no > packets reached rule 20. At this point I have to stop testing since as the listing says there are 49 more packets totalling 2332 bytes queued in the pipe, which has 50 slots. (i suppose between the two commands the flooder has generated some more packets...) As the pipe is believing to be a 2bit/s pipe, it will drain in 9328 seconds. I forgot to comment in my previous email, but generally when you use low bandwidths (even with the 2Kbytes/s you meant) you need short queues (and probably sized in bytes, not packets) to avoid long drain times. > (BTW, I also tried the following: > > root@efnet ~# sysctl -w net.inet.ip.fw.one_pass=1 this is certainly necessary, or ruleset writing becomes a little bit less obvious. It was a really bad choice the one i made on 3.1 to default to 0! cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) http://www.iet.unipi.it/~luigi/ngc99/ ==== First International Workshop on Networked Group Communication ==== -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907181321.PAA18272>