Skip site navigation (1)Skip section navigation (2) 
Date:      07 Feb 2002 09:19:00 -0500
From:      Dan Pelleg <peldan@yahoo.com>
To:        Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
Cc:        stable@freebsd.org
Subject:   Re: ipfw limit option
Message-ID:  <u2s3d0dnzmz.fsf@gs166.sp.cs.cmu.edu>
In-Reply-To: <20020207154529.A92095@svzserv.kemerovo.su>
References:  <20020207154529.A92095@svzserv.kemerovo.su>
next in thread | previous in thread | raw e-mail | index | archive | help 
Eugene Grosbein <eugen@www.svzserv.kemerovo.su> writes:

> Hi!
> 
> I'm trying to utilize ipfw limit option with 4.5-STABLE.
> Till now I had stateless ipfw configuration that worked fine.
> 
> Now I need to limit one of my TCP services with only 5 sessions 
> per IP. The service itself has global limit of 50 simultaneous
> connections but cannot limit the number of connections per IP.
> And it is abused.
> 
> I have following rules for the service bound to TCP port 8888:
> 
> $fwcmd add 60130 pipe 3 tcp from $my_ip 8888 to any # for traffic shaping
> $fwcmd add 60135 allow tcp from any to $my_ip 8888 
> 
> Now I changed rule 60135 to
> $fwcmd add 60135 allow tcp from any to $my_ip 8888 limit src-addr 5
> 
> This work basically, but:
> 
> 1. Sometimes I see 8 connections per 1 ip, 6 are ESTABLESHED and 
>    2 are CLOSE_WAIT. That does not bothers me too much but it shows:
>    that code is not very exact.
> 
> 2. The kernel fills my logs and console with TONS of messages:
> 
> Feb  7 15:11:32 <kern.crit> www /kernel: OUCH! cannot remove rule, count 2
> Feb  7 15:11:32 <kern.crit> www /kernel: drop session, too many entries
> Feb  7 15:11:32 <kern.crit> www last message repeated 3 times
> Feb  7 15:11:33 <kern.crit> www /kernel: OUCH! cannot remove rule, count 2
> Feb  7 15:11:33 <kern.crit> www /kernel: drop session, too many entries
> Feb  7 15:11:34 <kern.crit> www last message repeated 80 times
> 
> And so on. That's not what I expect to receive. How can 'drop session'
> messages be silenced? And what do 'OUCH!' messages mean?
> 
> Eugene Grosbein
> 

See kern/32600. Unfortunately, the provided patch doesn't apply cleanly
anymore (bitrot). I lost contact with the commiter ever since I posted the
PR in early December. I'll try to post an updated patch in a few days.

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32600

-- 

  Dan Pelleg

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?u2s3d0dnzmz.fsf>