Eugene Grosbein <[EMAIL PROTECTED]> writes: > Hi! > > I'm trying to utilize ipfw limit option with 4.5-STABLE. > Till now I had stateless ipfw configuration that worked fine. > > Now I need to limit one of my TCP services with only 5 sessions > per IP. The service itself has global limit of 50 simultaneous > connections but cannot limit the number of connections per IP. > And it is abused. > > I have following rules for the service bound to TCP port 8888: > > $fwcmd add 60130 pipe 3 tcp from $my_ip 8888 to any # for traffic shaping > $fwcmd add 60135 allow tcp from any to $my_ip 8888 > > Now I changed rule 60135 to > $fwcmd add 60135 allow tcp from any to $my_ip 8888 limit src-addr 5 > > This work basically, but: > > 1. Sometimes I see 8 connections per 1 ip, 6 are ESTABLESHED and > 2 are CLOSE_WAIT. That does not bothers me too much but it shows: > that code is not very exact. > > 2. The kernel fills my logs and console with TONS of messages: > > Feb 7 15:11:32 <kern.crit> www /kernel: OUCH! cannot remove rule, count 2 > Feb 7 15:11:32 <kern.crit> www /kernel: drop session, too many entries > Feb 7 15:11:32 <kern.crit> www last message repeated 3 times > Feb 7 15:11:33 <kern.crit> www /kernel: OUCH! cannot remove rule, count 2 > Feb 7 15:11:33 <kern.crit> www /kernel: drop session, too many entries > Feb 7 15:11:34 <kern.crit> www last message repeated 80 times > > And so on. That's not what I expect to receive. How can 'drop session' > messages be silenced? And what do 'OUCH!' messages mean? > > Eugene Grosbein >
See kern/32600. Unfortunately, the provided patch doesn't apply cleanly anymore (bitrot). I lost contact with the commiter ever since I posted the PR in early December. I'll try to post an updated patch in a few days. http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32600 -- Dan Pelleg To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
