From owner-freebsd-net Wed Dec 13 12:26:13 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 13 12:26:11 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247]) by hub.freebsd.org (Postfix) with ESMTP id A835437B402; Wed, 13 Dec 2000 12:26:09 -0800 (PST) Received: by overlord.e-gerbil.net (Postfix, from userid 1001) id A5416E4F4D; Wed, 13 Dec 2000 15:25:58 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by overlord.e-gerbil.net (Postfix) with ESMTP id 89E32E4F4C; Wed, 13 Dec 2000 15:25:58 -0500 (EST) Date: Wed, 13 Dec 2000 15:25:58 -0500 (EST) From: "Richard A. Steenbergen" To: Mike Silbersack Cc: Bosko Milekic , freebsd-net@freebsd.org, green@freebsd.org Subject: Re: Ratelimint Enhancement patch (Please Review One Last Time!) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Dec 2000, Mike Silbersack wrote: > On Wed, 13 Dec 2000, Richard A. Steenbergen wrote: > > > Is there some specific reason you need timestamp seperate? If you're > > really up for that, why not just limit each ICMP type seperately? > > There's no real need for it to be separate, it just feels cleaner. I > prefer seeing the two cases have separately reported values. (Have I > missed any icmp types that a host could respond with? If so, please tell > me so that I can add them.) Assuming the box is not acting as a router in any fashion... It doesn't matter, it really doesn't, I'm just note sure timestamp is really worth the hastle instead of just calling it icmp request... The advantage of seperate limits is to keep one service working when another is being limited. Since its a dirt simple operation to pick which limit you're hitting, and there are no queues involved just counters, it might be just as easy to go into the rate limiting function as icmp limit, and have it maintain seperate limits for every type, if you really wanted... > > As for performance, this limiting occurs deeper in the stack then ipfw, > > and w/dummynet you have the flexability to mask the ips so that each > > interface or aliased ip could have a seperate rate limit as well. > > Hm, true. I was thinking of limiting the outgoing side, which would mean > ipfw comes later in the string, but I suppose that if you limit on the > incoming ipfw's sooner. Historically bandlim has been the process of stopping the processing at input of things which would result in output... Do you want to (or need to) extend this? > I wasn't planning to subdivide the reporting any more in future patches, > so you shouldn't see any new tunables popping up for that reason. Same question as above, is this to be built in Denail of Service prevention, or is this limiting of packets which could potentially generate excessive processing or replies? Might as well do it right instead of kludging this up any more... :P -- Richard A Steenbergen http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message