From owner-freebsd-ipfw@FreeBSD.ORG Sat May 3 12:27:11 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D36A16FF for ; Sat, 3 May 2014 12:27:11 +0000 (UTC) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A38F217DF for ; Sat, 3 May 2014 12:27:11 +0000 (UTC) Received: by mail-pd0-f177.google.com with SMTP id p10so536367pdj.22 for ; Sat, 03 May 2014 05:27:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=QhLW9p1lF7jovGz5pTS6AMNI5O8y/hAT3fjB/PxVmeE=; b=WHPo2fXq5vHpSsEW0WN5Ec296UDntfU5x79RA0CGKGvZxXdLHjLh0B7S5IzvxOhicB Fyl8Ac1LEkXkB60U0NceddXiLJfUs5LMAnEcUVQRBVPomnS/paI4cIJxDvkdW6v3I5Bo 5FdgT+68YjbtAjwV2g6OSVSvu8uVvQQc9UeKihLn0zEe2BI7nxpi1Bog6uSIIBpuaIsu ecsNf2JtL0aSRTaQqBcZNjIIoRKd8o8vyVCV2Y0Rv3FYFrh5KzAvP05ZoyiPp0n154u8 lquNJDo+VLrVxBLRiW4iVi1ZTX9z0q2rRSodxvgESR0fEJmSUDVzNQwtlDnLoCsOQXWm nAfg== X-Received: by 10.66.240.4 with SMTP id vw4mr47076552pac.26.1399120030663; Sat, 03 May 2014 05:27:10 -0700 (PDT) Received: from [192.168.1.101] ([203.117.37.234]) by mx.google.com with ESMTPSA id tu3sm17602817pab.1.2014.05.03.05.27.06 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 03 May 2014 05:27:10 -0700 (PDT) Message-ID: <5364E097.9020106@gmail.com> Date: Sat, 03 May 2014 20:27:03 +0800 From: bycn82 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: Luigi Rizzo Subject: Re: feature of `packet per second` References: <5360F1F4.9060808@gmail.com> <5361105C.1040203@freebsd.org> <53611738.8010103@gmail.com> <53611EB1.4000406@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-ipfw@freebsd.org" , Freddie Cash X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 May 2014 12:27:12 -0000 On 5/2/14 16:59, Luigi Rizzo wrote: > > > > On Wed, Apr 30, 2014 at 6:02 PM, bycn82 > wrote: > > > fjwcash@gmail.com > > > > Thanks for your reply, and it is good to know the sysctl for ICMP. > > finally it works.I just added a new `action` in firewall and it is > called `pps`, that means it can be generic purpose while the > net.inet.icmp.icmplim is only for ICMP traffic. > > the usage will be like below > > root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any* > 00100 pps 1 icmp from any to any > root@F10:/usr/src/sbin/ipfw # ./ipfw show > 00100 9 540 pps 1 icmp from any to any > 65535 13319 1958894 allow ip from any to any > root@F10:/usr/src/sbin/ipfw # > > > ​hi, > as julian said it would be great if you would like to share your code > so we can integrate it in future ipfw releases. > Once again citing Julian, dummynet is a bit of a superset of pps but > not exactly, so i see value in the additional feature. > > One thing ​to keep in mind in the implementation: > > the burst size used for limiting is an important parameter that > everyone forgets. 1 pps is basically "don't bother me". > 1000 pps could be "1000 packets every fixed 1-sec interval" > or "1 packet every ms" or (this is more difficult) > "20 pkt in the last 50ms interval". > > If i were to implement the feature i would add two parameters > (burst, I_max) with reasonable defaults and compute the internal > interval and max_count as follows > if (burst > max_pps * I_max) > burst = max_pps * I_max; // make sure it is not too large > else if (burst < max_pps / HZ) > burst = max_pps * HZ; // nor too small > max_count = max_pps / burst; > interval = HZ * burst / max_pps; > count = 0; // actual counter > > then add { max_count, interval, timestamp, count } to the rule descriptor. > On incoming packets: > > if (ticks >= r->interval + r->timestamp) { > r->timestamp = r->ticks; > r->count = 1; > return ACCEPT; > } > if (r->count > r->max_count) > return DENY; > r->count++; > return ACCEPT; > > cheers > luigi > Hi Luigi, You are right, it will be more generic if provide two parameters as you described, But this PPS feature should not be used to control the traffic rate, the dummynet you provided is the correct way. So I am thinking in what kind of scenario, people need this PPS feature? in my opinion, people will use PPS only when they want to limit the connections/transactions numbers. ( already have limit command to limit the connections) So I think provide a simple PPS feature is good enough, and we can improve it if someone complaint on this. bycn82