From: Patrick Schaaf <bof@bof.de>
To: Don Cohen <don-nf@isis.cs3-inc.com>
Cc: netfilter-devel@lists.samba.org
Subject: Re: conntrack performance/DoS formula
Date: Fri, 28 Jun 2002 21:35:20 +0200 [thread overview]
Message-ID: <20020628213520.C4136@oknodo.bof.de> (raw)
In-Reply-To: <15644.45834.373409.220647@isis.cs3-inc.com>; from don-nf@isis.cs3-inc.com on Fri, Jun 28, 2002 at 12:03:38PM -0700
[-- Attachment #1: Type: text/plain, Size: 1542 bytes --]
Hi Don,
> > I have real data [...] from several boxen providing transparent proxy
> > service to dialup customers, 3000 customers per box peak, running DNS
> > and squid towards the Internet.
> > With the peak load, the proxy boxen have up to 100000 conntrack entries
>
> If you can put some data on a web page that I could download I'd be
> happy to write and run the program that analyzes it and compares it
> to the results expected for a uniform hash function.
I have put a current sample, with ~33000 entries from one of those
proxy boxen, at http://bei.bof.de/ip_conntrack.1.gz
To protect the innoccent (i.e. my customers and their surfing habits),
I have modified the top 16 bit of the IP addresses (keeping a random
but unique-once-determined mapping). The low order 16 bit are unmodified.
I hope this is sufficient to combine realism wrt hashing with privacy.
The Perl script I used for transforming the ip_conntrack input, is appended
for review.
> Just in case you consider this to be a drawback, I might as well
> mention up front that this program will be written in lisp.
> (I consider it to be a benefit.)
That's your choice. I would write it in Perl or C.
> I suppose /proc/net/ip_conntrack is the preferred data format
The data format should be nearly /proc/net/ip_conntrack, the only modification
is that I compressed multiple whitespace down to a single character, and the
abovementioned mangling of the IP addresses.
I'm looking forward to your results. Tell me if you want more data.
best regards
Patrick
[-- Attachment #2: ctmangle --]
[-- Type: text/plain, Size: 680 bytes --]
#! /usr/bin/perl -w
use strict;
# tcp 6 114 TIME_WAIT src=XX.XXX.211.64 dst=YYY.Y.144.66 sport=34685 dport=80 src=YYY.Y.144.66 dst=XX.XXX.211.64 sport=80 dport=34685 [ASSURED] use=1
my %ipmap = ();
sub domap {
my $ip = $_[0];
if (!defined($ipmap{$ip})) {
my $r = rand (2**16)-1;
my $m = '';
$m .= ($r & 255); $r >>= 8; $m .= '.' . ($r & 255);
$ipmap{$ip} = $m;
}
return $ipmap{$ip};
}
while (<>) {
chop;
my @F = split;
my $out = '';
my $sep = '';
for my $token (@F) {
if ($token =~ /^([^=]+)=(\d+\.\d+)(\.\d+\.\d+)$/) {
my $ip = domap($2);
$out .= "$sep${1}=$ip${3}";
} else {
$out .= "$sep$token";
}
$sep = ' ';
}
print "$out\n";
}
next prev parent reply other threads:[~2002-06-28 19:35 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-27 20:46 conntrack performance/DoS formula Don Cohen
2002-06-28 6:23 ` Patrick Schaaf
2002-06-28 17:53 ` Don Cohen
2002-06-28 18:36 ` Patrick Schaaf
2002-06-28 19:03 ` Don Cohen
2002-06-28 19:35 ` Patrick Schaaf [this message]
2002-06-28 19:39 ` Patrick Schaaf
2002-06-28 21:10 ` Don Cohen
2002-06-28 21:28 ` Patrick Schaaf
2002-06-28 21:49 ` Don Cohen
2002-06-28 22:30 ` Don Cohen
2002-06-29 9:03 ` Patrick Schaaf
2002-06-29 16:48 ` Don Cohen
2002-06-29 17:22 ` Patrick Schaaf
2002-07-05 13:47 ` Harald Welte
2002-06-29 17:33 ` Patrick Schaaf
2002-06-29 9:29 ` Patrick Schaaf
2002-06-29 12:07 ` Patrick Schaaf
2002-06-29 12:34 ` Patrick Schaaf
2002-06-30 8:31 ` Patrick Schaaf
2002-06-30 19:40 ` Don Cohen
2002-07-01 8:07 ` Henrik Nordstrom
2002-07-01 17:49 ` Don Cohen
2002-07-02 7:58 ` Henrik Nordstrom
[not found] ` <15652.38084.704660.234319@isis.cs3-inc.com>
2002-07-04 21:53 ` Henrik Nordstrom
2002-07-05 7:08 ` Don Cohen
2002-07-05 11:41 ` Henrik Nordstrom
2002-07-06 2:49 ` Don Cohen
2002-07-02 14:55 ` Harald Welte
2002-07-02 14:40 ` Harald Welte
2002-07-02 16:32 ` Patrick Schaaf
2002-07-02 16:35 ` Patrick Schaaf
2002-07-02 16:53 ` Henrik Nordstrom
2002-07-02 17:48 ` Don Cohen
2002-07-02 18:31 ` Patrick Schaaf
2002-07-02 21:52 ` cttest-0.1 Patrick Schaaf
2002-07-03 4:15 ` cttest-0.1 Joakim Axelsson
2002-07-05 15:37 ` cttest-0.1 Martin Josefsson
2002-07-05 16:10 ` cttest-0.1 Joakim Axelsson
2002-07-05 16:54 ` cttest-0.1 Patrick Schaaf
2002-07-05 16:53 ` cttest-0.1 Joakim Axelsson
2002-07-06 6:10 ` cttest-0.1 Andrew Smith
2002-07-06 7:12 ` cttest-0.1 Patrick Schaaf
2002-07-06 15:23 ` cttest-0.1 Patrick Schaaf
2002-07-06 21:14 ` cttest-0.1 Joakim Axelsson
2002-07-06 22:41 ` cttest-0.1 Joakim Axelsson
2002-07-06 23:16 ` cttest-0.1 Joakim Axelsson
2002-07-07 2:30 ` cttest-0.1 Svenning Sorensen
2002-07-07 4:23 ` cttest-0.1 Joakim Axelsson
2002-07-07 5:46 ` cttest-0.1 Joakim Axelsson
2002-07-07 11:00 ` cttest-0.1 Henrik Nordstrom
2002-07-06 22:54 ` cttest-0.1 Joakim Axelsson
2002-07-02 14:38 ` conntrack performance/DoS formula Harald Welte
[not found] <20020701121404.B78724512@lists.samba.org>
2002-07-01 21:30 ` Don Cohen
2002-07-02 6:05 ` Patrick Schaaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020628213520.C4136@oknodo.bof.de \
--to=bof@bof.de \
--cc=don-nf@isis.cs3-inc.com \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.