Date: Thu, 08 May 2014 09:09:21 +0800 From: bycn82 <bycn82@gmail.com> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, Freddie Cash <fjwcash@gmail.com> Subject: Re: feature of `packet per second` Message-ID: <536AD941.9090102@gmail.com> In-Reply-To: <536AD13B.6080907@gmail.com> References: <5360F1F4.9060808@gmail.com> <5361105C.1040203@freebsd.org> <53611738.8010103@gmail.com> <CAOjFWZ4zRUmcjG-r--OqoGEWcSZoWhtTykgAAHzCjoEWsMVS9g@mail.gmail.com> <53611EB1.4000406@gmail.com> <CA%2BhQ2%2BhjjS=AXVdnaEdFOKY1DqiLuX9iP0gy3wo6FbwnEdq_Qw@mail.gmail.com> <5364E097.9020106@gmail.com> <CA%2BhQ2%2BgXC9uNdtH1VCGa%2Bs1dPNWjErC9qfgXmEnfQ4SQ6Rnz_g@mail.gmail.com> <536AD13B.6080907@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/8/14 8:35, bycn82 wrote:
> On 5/4/14 1:19, Luigi Rizzo wrote:
>>
>>
>>
>> On Sat, May 3, 2014 at 2:27 PM, bycn82 <bycn82@gmail.com
>> <mailto:bycn82@gmail.com>> wrote:
>>
>> On 5/2/14 16:59, Luigi Rizzo wrote:
>>>
>>>
>>>
>>> On Wed, Apr 30, 2014 at 6:02 PM, bycn82 <bycn82@gmail.com
>>> <mailto:bycn82@gmail.com>> wrote:
>>>
>>>
>>> fjwcash@gmail.com <mailto:fjwcash@gmail.com>
>>> <mailto:fjwcash@gmail.com <mailto:fjwcash@gmail.com>>
>>>
>>> Thanks for your reply, and it is good to know the sysctl
>>> for ICMP.
>>>
>>> finally it works.I just added a new `action` in firewall and
>>> it is called `pps`, that means it can be generic purpose
>>> while the net.inet.icmp.icmplim is only for ICMP traffic.
>>>
>>> the usage will be like below
>>>
>>> root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from
>>> any to any*
>>> 00100 pps 1 icmp from any to any
>>> root@F10:/usr/src/sbin/ipfw # ./ipfw show
>>> 00100 9 540 pps 1 icmp from any to any
>>> 65535 13319 1958894 allow ip from any to any
>>> root@F10:/usr/src/sbin/ipfw #
>>>
>>>
>>> hi,
>>> as julian said it would be great if you would like to share your
>>> code
>>> so we can integrate it in future ipfw releases.
>>> Once again citing Julian, dummynet is a bit of a superset of pps but
>>> not exactly, so i see value in the additional feature.
>>>
>>> One thing to keep in mind in the implementation:
>>>
>>> the burst size used for limiting is an important parameter that
>>> everyone forgets. 1 pps is basically "don't bother me".
>>> 1000 pps could be "1000 packets every fixed 1-sec interval"
>>> or "1 packet every ms" or (this is more difficult)
>>> "20 pkt in the last 50ms interval".
>>>
>>> If i were to implement the feature i would add two parameters
>>> (burst, I_max) with reasonable defaults and compute the internal
>>> interval and max_count as follows
>>> if (burst > max_pps * I_max)
>>> burst = max_pps * I_max; // make sure it is not too large
>>> else if (burst < max_pps / HZ)
>>> burst = max_pps * HZ; // nor too small
>>> max_count = max_pps / burst;
>>> interval = HZ * burst / max_pps;
>>> count = 0; // actual counter
>>>
>>> then add { max_count, interval, timestamp, count } to the rule
>>> descriptor.
>>> On incoming packets:
>>>
>>> if (ticks >= r->interval + r->timestamp) {
>>> r->timestamp = r->ticks;
>>> r->count = 1;
>>> return ACCEPT;
>>> }
>>> if (r->count > r->max_count)
>>> return DENY;
>>> r->count++;
>>> return ACCEPT;
>>>
>>> cheers
>>> luigi
>>>
>> Hi Luigi,
>> You are right, it will be more generic if provide two parameters
>> as you described,
>> But this PPS feature should not be used to control the traffic
>> rate, the dummynet you provided is the correct way.
>> So I am thinking in what kind of scenario, people need this PPS
>> feature?
>> in my opinion, people will use PPS only when they want to limit
>> the connections/transactions numbers. ( already have limit
>> command to limit the connections)
>> So I think provide a simple PPS feature is good enough, and we
>> can improve it if someone complaint on this.
>>
>>
>> pps has a strong reason to exist because it is a lot cheaper
>> than a dummynet pipe, and given its purpose is to police
>> traffic (icmp, dns requests, etc) which should not even
>> get close to the limit which is set, I think it is
>> a completely reasonable feature to have.
>>
>> Given that the above code is the complete implementation
>> with the two parameters (burst and interval) there is no
>> reason not to use them, at least internally.
>>
>> Then you could choose not to expose them as part of the
>> user interface (though since you are implementing a new
>> option from scratch, it is completely trivial to
>> parse 1, 2 or 3 arguments and set defaults for the others).
>>
>> cheers
>> luigi
> OK, PPS with 2 parameters , it is done,
> But how to get the current time in millisecond?
> any recommendation?
In order to get the millisecond, i tried to include the timeb.h but i
met below
n file included from
/usr/src/sys/modules/ipfw/../../netpfil/ipfw/ip_fw2.c:42:
@/sys/timeb.h:42:2: error: "this file includes <sys/timeb.h> which is
deprecated"
[-Werror,-W#warnings]
#warning "this file includes <sys/timeb.h> which is deprecated"
^
any replacement for timeb.h
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?536AD941.9090102>