Darren Reed writes: > On networking-discuss, Kacheong raised the problem of the kernel > only throttling ICMP packets on a packets-per-second basis. So the > obvious question to me becomes, why can't crossbow be used to > throttle all ICMP errors? > > The unfortunate part of this is that classifying ICMP errors is not > achievable with a simple bit-mask.
The current default send limit is an averge of one message every 100ms or a burst of 10 ICMP error messages arbitrarily fast. If we bump up to the RFC suggested 576 bytes per message, we're talking about roughly 45Kbps. That's it. It's a trivial amount of traffic when you don't futz with the existing timers. I maintain that (a) Crossbow, with its limited flow granularity, would not help in this instance and that (b) changing from 64 to 576 and removing the tunable won't actually cause any undue hardship. If you really have a link somewhere that'll be the target of 45Kbps worth of ICMP errors, and that'll melt at that rate, then I suggest just filtering out all ICMP. That link is just too fragile. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
