From owner-freebsd-ipfw@FreeBSD.ORG Sat May 17 16:43:47 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4900710B for ; Sat, 17 May 2014 16:43:47 +0000 (UTC) Received: from mail-pa0-x22a.google.com (mail-pa0-x22a.google.com [IPv6:2607:f8b0:400e:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1A7D12397 for ; Sat, 17 May 2014 16:43:47 +0000 (UTC) Received: by mail-pa0-f42.google.com with SMTP id rd3so3904210pab.1 for ; Sat, 17 May 2014 09:43:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=rpoOFcQPVG5KvouOsP9bkn8NFH0ZCGE4CWfe8DyXCpM=; b=oUx+63fPr6RQBzJ6MLYAdVhXbAzHSLwLHwJYzKL8gMF8LvLo8XaFvxl7dQL+ScCeg3 DXiv44hqW15ji0iOhqL5lOTEUKDuu2HcBLd5R9wHTakepLzS3gFFfte/zt1aFNm9n7jl FceLQbbdSa5rnuDTu0xB4zOKziCOvhzLYtkreahEFW9dfeIIVGTVlmHDH20zOeVdWSwx DZ/WVBY6nduJBMBh2skwXzEzD/P35dIfjDtbZxfjQtZoSFXWzdUA2EBFb91KevwcmTZS kC/GvQZVwGC58leIO0REpEvDoFfsvKQ+6+WZvk8LzpCrP/hrqpGQDbqJqINvWETCkBMa 7F9A== X-Received: by 10.68.181.67 with SMTP id du3mr30123142pbc.96.1400345026543; Sat, 17 May 2014 09:43:46 -0700 (PDT) Received: from [192.168.1.102] ([183.90.37.121]) by mx.google.com with ESMTPSA id ci4sm20779713pbb.50.2014.05.17.09.43.40 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 17 May 2014 09:43:43 -0700 (PDT) Message-ID: <537791BC.7090209@gmail.com> Date: Sun, 18 May 2014 00:43:40 +0800 From: bycn82 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: Freddie Cash Subject: Re: feature of `packet per second` References: <5360F1F4.9060808@gmail.com> <5361105C.1040203@freebsd.org> <53611738.8010103@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 16:43:47 -0000 On 4/30/14 23:45, Freddie Cash wrote: > On Wed, Apr 30, 2014 at 8:31 AM, bycn82 >wrote: > > On 4/30/14 23:01, Julian Elischer wrote: > > On 4/30/14, 8:52 PM, bycn82 wrote: > > Hi > > `packet per second` it is easy to be implemented using > iptables, there is a module named `recent`, but in using > ipfw, Do we have any solution to fulfill it? check the > link below > https://forums.freebsd.org/viewtopic.php?f=44&t=42933&p=258441#p258441 > > > > since I don't use linux.. what is "packet per second"?.. does > it report it or set a limit on it? > > > bycn82 > > _______________________________________________ > freebsd-ipfw@freebsd.org > mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org > " > > > > > Yes, "Packets Per Second"means limit a connection based on the > packets number, for example, If I allow 2 ICMP packets come to my > server in each individual second. only the first 2 packets will > be allow, all others in the same second will be dropped. > > > ​For ICMP, specifically, there's a sysctl to control the rate (per > second): > > # sysctl -d ​net.inet.icmp.icmplim > net.inet.icmp.icmplim: Maximum number of ICMP responses per second > > > For everything else, you'd want to use dummynet(4). > > -- > Freddie Cash > fjwcash@gmail.com Hi As Freddie said, for ICMP protocal, actually it comes with this 'PPS' feature. So I just double checked the source code of ip_icmp.c file because I dont know this before. And suddenly a question came into my mind. "Why I dont know it before" Yes, I can list down all the sysctl option by `sysctl -a` command, But we dont have any page which introduced all the options, root@FB10Head:~ # sysctl -a | grep rexmit_min net.inet.tcp.rexmit_min: 30 root@FB10Head:~ # sysctl -a | grep icmplim net.inet.icmp.icmplim: 200 net.inet.icmp.icmplim_output: 1 root@FB10Head:~ # sysctl -a | wc -l 4120 root@FB10Head:~ # So, more than 4000 options!!! Maybe we should have mail-list to collect the introduction of all the options or a public WiKi page like wikipedia for it. Regards, bycn82