From owner-freebsd-net Sun Jul 18 8:49:34 1999 Delivered-To: freebsd-net@freebsd.org Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by hub.freebsd.org (Postfix) with SMTP id 52ECC14FC3 for ; Sun, 18 Jul 1999 08:49:27 -0700 (PDT) (envelope-from luigi@labinfo.iet.unipi.it) Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id PAA18272; Sun, 18 Jul 1999 15:21:04 +0200 From: Luigi Rizzo Message-Id: <199907181321.PAA18272@labinfo.iet.unipi.it> Subject: Re: pipes To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Date: Sun, 18 Jul 1999 15:21:04 +0200 (MET DST) Cc: net@FreeBSD.ORG In-Reply-To: from "Dag-Erling Smorgrav" at Jul 18, 99 04:14:11 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1984 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Next, let's add a pipe to limit incoming SYNs to 2 kBps: ... and here you hit a bug in ipfw processing, where k (lowercase) is not recognised and silently ignored, you need K (capital). in your case you have a nice pipe serving 2 bits per second -- basically a morse channel or slower! ... > Then I run my flooder again for a short while and observe: > > root@efnet ~# ipfw -a l 10 20 > 00010 46 2188 pipe 1 tcp from any to any in setup > 00020 0 0 allow tcp from any to any 6666,6667 in setup > root@efnet ~# ipfw pipe list 1 > 00001: 2.000 bit/s 0 ms 50 sl. -- 49 pkts (2332 B) 29 drops > > So the pipe claims to have blocked only 29 out of 49 packets, but no > packets reached rule 20. At this point I have to stop testing since as the listing says there are 49 more packets totalling 2332 bytes queued in the pipe, which has 50 slots. (i suppose between the two commands the flooder has generated some more packets...) As the pipe is believing to be a 2bit/s pipe, it will drain in 9328 seconds. I forgot to comment in my previous email, but generally when you use low bandwidths (even with the 2Kbytes/s you meant) you need short queues (and probably sized in bytes, not packets) to avoid long drain times. > (BTW, I also tried the following: > > root@efnet ~# sysctl -w net.inet.ip.fw.one_pass=1 this is certainly necessary, or ruleset writing becomes a little bit less obvious. It was a really bad choice the one i made on 3.1 to default to 0! cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) http://www.iet.unipi.it/~luigi/ngc99/ ==== First International Workshop on Networked Group Communication ==== -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message