From owner-freebsd-ipfw@FreeBSD.ORG  Fri May  2 08:59:06 2014
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6E359290
 for <freebsd-ipfw@freebsd.org>; Fri,  2 May 2014 08:59:06 +0000 (UTC)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com
 [IPv6:2a00:1450:4010:c03::22c])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D8C921B60
 for <freebsd-ipfw@freebsd.org>; Fri,  2 May 2014 08:59:05 +0000 (UTC)
Received: by mail-la0-f44.google.com with SMTP id hr17so2936653lab.3
 for <freebsd-ipfw@freebsd.org>; Fri, 02 May 2014 01:59:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=/QdCnhtaSyfw+hYw1n0Ji6QFBHI+ufWf87DrVy6AYc4=;
 b=e91egh0wnUQtT1/pDGpG6G/5hRb0aHBmhT6OuRZvvO7RDtLZ++RNQjyg0pn17rrtlH
 ngA74AvAEAqqTWQLOE4ecMqwD4sPeH9TTbcpFG0wpTjdU7cRozxr9vcfqzgsFw5E3VS+
 R4d2/G2DsbLJ9yL+HDMrMDqXPZ7ohhYPmJt84i8lKy0+iDyVF2p8ayZLdXjubBzLRVr4
 we2wapD1fTvZ95A7PhbAMEhH01tXv0jIQd6pGITEDO+NimfIPOjMupJkA1Kh8nhlWqpa
 NqciECFP/ia2dqfja5BGtbn2b3DqOs8A851beQvQFZNnSk7p6aGSdNpAYHf2+YrvcOb4
 gHhg==
MIME-Version: 1.0
X-Received: by 10.112.27.133 with SMTP id t5mr10848833lbg.21.1399021143538;
 Fri, 02 May 2014 01:59:03 -0700 (PDT)
Sender: rizzo.unipi@gmail.com
Received: by 10.114.200.107 with HTTP; Fri, 2 May 2014 01:59:03 -0700 (PDT)
In-Reply-To: <53611EB1.4000406@gmail.com>
References: <5360F1F4.9060808@gmail.com> <5361105C.1040203@freebsd.org>
 <53611738.8010103@gmail.com>
 <CAOjFWZ4zRUmcjG-r--OqoGEWcSZoWhtTykgAAHzCjoEWsMVS9g@mail.gmail.com>
 <53611EB1.4000406@gmail.com>
Date: Fri, 2 May 2014 10:59:03 +0200
X-Google-Sender-Auth: DQbWoDAdGjFbAtylLcVZj2fJ0vU
Message-ID: <CA+hQ2+hjjS=AXVdnaEdFOKY1DqiLuX9iP0gy3wo6FbwnEdq_Qw@mail.gmail.com>
Subject: Re: feature of `packet per second`
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: bycn82 <bycn82@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>,
 Freddie Cash <fjwcash@gmail.com>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 08:59:06 -0000

On Wed, Apr 30, 2014 at 6:02 PM, bycn82 <bycn82@gmail.com> wrote:

>
>> fjwcash@gmail.com <mailto:fjwcash@gmail.com>
>>
> Thanks for your reply,  and it is good to know the sysctl for ICMP.
>
> finally it works.I just added a new `action` in firewall and it is called
> `pps`,  that means it can be generic purpose while the
> net.inet.icmp.icmplim is only for ICMP traffic.
>
> the usage will be like below
>
> root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*
> 00100 pps 1 icmp from any to any
> root@F10:/usr/src/sbin/ipfw # ./ipfw show
> 00100     9     540 pps 1 icmp from any to any
> 65535 13319 1958894 allow ip from any to any
> root@F10:/usr/src/sbin/ipfw #
>
>
=E2=80=8Bhi,
as julian said it would be great if you would like to share your code
so we can integrate it in future ipfw releases.
Once again citing Julian, dummynet is a bit of a superset of pps but
not exactly, so i see value in the additional feature.

One thing  =E2=80=8Bto keep in mind in the implementation:

the burst size used for limiting is an important parameter that
everyone forgets. 1 pps is basically "don't bother me".
1000 pps could be "1000 packets every fixed 1-sec interval"
or "1 packet every ms" or (this is more difficult)
"20 pkt in the last 50ms interval".

If i were to implement the feature i would add two parameters
(burst, I_max) with reasonable defaults and compute the internal
interval and max_count as follows

   if (burst > max_pps * I_max)
       burst =3D max_pps * I_max; // make sure it is not too large
   else if (burst < max_pps / HZ)
       burst =3D max_pps * HZ;    // nor too small
   max_count =3D max_pps / burst;
   interval =3D HZ * burst / max_pps;
   count =3D 0; // actual counter

then add { max_count, interval, timestamp, count } to the rule descriptor.
On incoming packets:

   if (ticks >=3D r->interval + r->timestamp) {
       r->timestamp =3D r->ticks;
       r->count =3D 1;
       return ACCEPT;
   }
   if (r->count > r->max_count)
       return DENY;
   r->count++;
   return ACCEPT;

cheers
luigi