Re: feature of `packet per second`

2014-05-02 Thread Bill Yuan 
I was coding it in dummynet way yesterday,
Personally I prefer to add it as a new action.
By the way, Is there anybody want to say something about the ip_fw.h? there
are two ip_fw.h files,
one in /sys/netinet/ another in usr/include/netinet, it is better to remove
one of it , or create a soft link instread?


On Fri, May 2, 2014 at 1:55 PM, Julian Elischer jul...@freebsd.org wrote:

 On 5/1/14, 12:02 AM, bycn82 wrote:

 On 4/30/14 23:45, Freddie Cash wrote:

 On Wed, Apr 30, 2014 at 8:31 AM, bycn82 byc...@gmail.com mailto:
 byc...@gmail.comwrote:


 On 4/30/14 23:01, Julian Elischer wrote:

 On 4/30/14, 8:52 PM, bycn82 wrote:

 Hi

 `packet per second` it is easy to be implemented using
 iptables, there is a module named `recent`, but in using
 ipfw, Do we have any solution to fulfill it? check the
 link below
 https://forums.freebsd.org/viewtopic.php?f=44t=42933p=258441#p258441
 https://forums.freebsd.org/viewtopic.php?f=44t=42933p=258441#p258441


 since I don't use linux.. what is packet per second?.. does
 it report it or set a limit on it?


  bycn82

 ___
 freebsd-ipfw@freebsd.org mailto:freebsd-ipfw@freebsd.org

 mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
 To unsubscribe, send any mail to
 freebsd-ipfw-unsubscr...@freebsd.org
 mailto:freebsd-ipfw-unsubscr...@freebsd.org





 Yes, Packets Per Secondmeans limit a connection based on the
 packets number, for example, If I allow 2 ICMP packets come to my
 server in each individual second.  only the first 2 packets will
 be allow, all others in the same second will be dropped.


 ​For ICMP, specifically, there's a sysctl to control the rate (per
 second):

 # sysctl -d ​net.inet.icmp.icmplim
 net.inet.icmp.icmplim: Maximum number of ICMP responses per second


 For everything else, you'd want to use dummynet(4).

 --
 Freddie Cash
 fjwc...@gmail.com mailto:fjwc...@gmail.com

 Thanks for your reply,  and it is good to know the sysctl for ICMP.

 finally it works.I just added a new `action` in firewall and it is called
 `pps`,  that means it can be generic purpose while the
 net.inet.icmp.icmplim is only for ICMP traffic.


 you probably should be using the dummynet extension to ipfw to do this
 but post your changes to a freebsd bug report anyhow so we can keep it
 somewhere.
 I doubt it would be needed in general as Dummynet give you so much more
 control and is I think a superset.
 Don't forget to add a patch for the man page  a patch with no man page
 change would never be accepted.


 the usage will be like below

 root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*

 00100 pps 1 icmp from any to any
 root@F10:/usr/src/sbin/ipfw # ./ipfw show
 00100 9 540 pps 1 icmp from any to any
 65535 13319 1958894 allow ip from any to any
 root@F10:/usr/src/sbin/ipfw #

 regards,
 bycn82

 ___
 freebsd-ipfw@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
 To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org





___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: feature of `packet per second`

2014-05-02 Thread Luigi Rizzo 
On Wed, Apr 30, 2014 at 6:02 PM, bycn82 byc...@gmail.com wrote:


 fjwc...@gmail.com mailto:fjwc...@gmail.com

 Thanks for your reply,  and it is good to know the sysctl for ICMP.

 finally it works.I just added a new `action` in firewall and it is called
 `pps`,  that means it can be generic purpose while the
 net.inet.icmp.icmplim is only for ICMP traffic.

 the usage will be like below

 root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*
 00100 pps 1 icmp from any to any
 root@F10:/usr/src/sbin/ipfw # ./ipfw show
 00100 9 540 pps 1 icmp from any to any
 65535 13319 1958894 allow ip from any to any
 root@F10:/usr/src/sbin/ipfw #


​hi,
as julian said it would be great if you would like to share your code
so we can integrate it in future ipfw releases.
Once again citing Julian, dummynet is a bit of a superset of pps but
not exactly, so i see value in the additional feature.

One thing  ​to keep in mind in the implementation:

the burst size used for limiting is an important parameter that
everyone forgets. 1 pps is basically don't bother me.
1000 pps could be 1000 packets every fixed 1-sec interval
or 1 packet every ms or (this is more difficult)
20 pkt in the last 50ms interval.

If i were to implement the feature i would add two parameters
(burst, I_max) with reasonable defaults and compute the internal
interval and max_count as follows

   if (burst  max_pps * I_max)
   burst = max_pps * I_max; // make sure it is not too large
   else if (burst  max_pps / HZ)
   burst = max_pps * HZ;// nor too small
   max_count = max_pps / burst;
   interval = HZ * burst / max_pps;
   count = 0; // actual counter

then add { max_count, interval, timestamp, count } to the rule descriptor.
On incoming packets:

   if (ticks = r-interval + r-timestamp) {
   r-timestamp = r-ticks;
   r-count = 1;
   return ACCEPT;
   }
   if (r-count  r-max_count)
   return DENY;
   r-count++;
   return ACCEPT;

cheers
luigi
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org