From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 22 02:55:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B7AC37B401 for ; Tue, 22 Apr 2003 02:55:26 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B47C643FE3 for ; Tue, 22 Apr 2003 02:55:25 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h3M9tPBp034326; Tue, 22 Apr 2003 02:55:25 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h3M9tPSk034325; Tue, 22 Apr 2003 02:55:25 -0700 (PDT) (envelope-from rizzo) Date: Tue, 22 Apr 2003 02:55:25 -0700 From: Luigi Rizzo To: yossman Message-ID: <20030422025525.A33894@xorpc.icir.org> References: <1107.66.46.224.251.1050689830.squirrel@ssl.yossman.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1107.66.46.224.251.1050689830.squirrel@ssl.yossman.net>; from yossman@yossman.net on Fri, Apr 18, 2003 at 02:17:10PM -0400 cc: freebsd-ipfw@freebsd.org cc: yossman@waterloo.yossman.net Subject: Re: ipfw dummynet: limiting packets per second (limit pps)? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 09:55:26 -0000 On Fri, Apr 18, 2003 at 02:17:10PM -0400, yossman wrote: ... > good day, i've been searching for the last while for a way to use > FreeBSD's ipfw and dummynet implementations to limit the number of packets > per second destined for any matching network traffic pipe. oddly, i can't > find very much information on doing this at all, save for a patch written ... > is there some reason limiting packets per second is not an option at the > moment? or does the capability already exist, and i'm just looking in the > wrong places? any hints would be appreciated, thanks! the original motivation for dummynet was to work as a traffic shaper, i.e. release data from the network interface at most at the programmed rate. The natural way to express this type of behaviour is in terms of bandwidth, and a queue to store the input traffic that is to be released at the desired rate. Limiting traffic to X pps generally means picking an interval of T seconds and making sure that in each of those intervals the first T*X packets are let out without delay, and the excess is simply thrown away. Besides the differences in terms of operations (shaping almost always introduces some delay, whereas limiting never delays traffic), the implementation of traffic shaping is also more expensive than traffic limiting -- you need queues and timers for the former, whereas the latter can be simply implemented with a counter and a timestamp for each flow. For a simple implementation of a "pps X" option i would suggest simply defining a new "ipfw2" opcode O_PPS which would match only up to X packets in each 1-second interval. The implementation would be something like this: typedef struct _ipfw_insn_pps { ipfw_insn o; uint32_t ts; /* start of measuring period */ uint32_t limit; uint32_t count; } ipfw_insn_pps; and the action would be case O_PPS: { ipfw_insn_pps *x = (ipfw_insn_pps *)cmd; if (x->ts != time_second || x->count < x->limit) { match = 1; if (x->ts != time_second) { x->ts = time_second; x->count = 0; } else x->count++; } break; } its use would be something like this: ipfw add 1000 accept ip from A to B pps 50 ipfw add 1000 deny ip from A to B A slightly more complex implementation that handles masks etc. is probably best done by extending dummynet pipes to handle counts and limits as shown above. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56122 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+-------------------------------------