[LARTC] pps limit ?

[LARTC] pps limit ?

[Dmytro O. Redchuk]

Hello, list members,

  can i limit pps rate with linux? How?

  -m limit does not fit, as i understood: it can help with low rates only
  (is that true? any suggestions?)

Thank you,
-- 
  _,-=._              /|_/|
  `-.}   `=._,.-=-._.,  @ @._,
     `._ _,-.   )      _,.-'
        `    G.m-"^m`m'        Dmytro O. Redchuk


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] pps limit ?

[Kajetan Staszkiewicz]

Dnia ¶roda, 30 sierpnia 2006 16:07, Dmytro O. Redchuk napisa³(a): 
> Hello, list members,
>
>   can i limit pps rate with linux? How?
>
>   -m limit does not fit, as i understood: it can help with low rates only
>   (is that true? any suggestions?)

Maybe hashlimit? What do you exactly need to do?

Here's what I use to rate pps for every host in network. In fact this is on 
2.4 kernel with dstlimit (with some changes in source), but hashlimit works 
in the same way.

$IPT -t mangle -I FORWARD -i eth1 -j LIMITPAK

$IPT -t mangle -A LIMITPAK -i eth1 -s 192.168.0.0/24 -m dstlimit --dstlimit 
75 --dstlimit-burst 200 --dstlimit-mode srcip --dstlimit-name eth1_0.0  -j 
RETURN
$IPT -t mangle -A LIMITPAK -i eth1 -s 192.168.0.0/24 -j DROP
$IPT -t mangle -A LIMITPAK -j RETURN

-- 
| pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD   |
|  Kajetan Staszkiewicz  | jabber,email,www: vegeta()tuxpowered net |
|        Vegeta          | IMQ devnames: http://www.tuxpowered.net  |
`------------------------^------------------------------------------'
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] pps limit ?

[Dmytro O. Redchuk]

On Wed, Aug 30, 2006 at 05:22:27PM +0200, Kajetan Staszkiewicz wrote:
> Dnia ?roda, 30 sierpnia 2006 16:07, Dmytro O. Redchuk napisa?(a): 
> > Hello, list members,
> >
> >   can i limit pps rate with linux? How?
> >
> >   -m limit does not fit, as i understood: it can help with low rates only
> >   (is that true? any suggestions?)
> 
> Maybe hashlimit?
May be. I should try. Thanks.

> What do you exactly need to do?
Limit a host's traffic to, let's say, 8.5kpps, drop any "exceeded" packet.

I guess, dstlimit will not help me too :-(

Limiting such a rates on firewalls seems to be too expensive and i don't
mention a firewall (iptables) as a tool for doing that.


No, surely, i am asking for help :-) Is there any tools, which can handle
and limit such pps rates?


-m limit, if i can remember, accepts limits up to 10k, but it seems to be
*terribly* wrong on limiting that... I wish i would be incorrect...


> $IPT -t mangle -I FORWARD -i eth1 -j LIMITPAK
[...]

Thanks, anyway.

> -- 
> | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD   |
> |  Kajetan Staszkiewicz  | jabber,email,www: vegeta()tuxpowered net |
> |        Vegeta          | IMQ devnames: http://www.tuxpowered.net  |
> `------------------------^------------------------------------------'
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

-- 
  _,-=._              /|_/|
  `-.}   `=._,.-=-._.,  @ @._,
     `._ _,-.   )      _,.-'
        `    G.m-"^m`m'        Dmytro O. Redchuk


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] pps limit ?

[Roy-Magne Mo]

Dmytro O. Redchuk wrote:
> Hello, list members,
> 
>   can i limit pps rate with linux? How?
> 
>   -m limit does not fit, as i understood: it can help with low rates only
>   (is that true? any suggestions?)

This is probably better achieved at the switch level. If this is for 
stopping viruses and DoS-attacks, then it's better to stop the traffic 
as close to the source as possible.

-- 
Roy-Magne Mo

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] pps limit ?

[Dmytro O. Redchuk]

On Thu, Aug 31, 2006 at 12:35:32PM +0200, Roy-Magne Mo wrote:
> Dmytro O. Redchuk wrote:
> >Hello, list members,
> >
> >  can i limit pps rate with linux? How?
> >
> >  -m limit does not fit, as i understood: it can help with low rates only
> >  (is that true? any suggestions?)
> 
> This is probably better achieved at the switch level. If this is for 
> stopping viruses and DoS-attacks, then it's better to stop the traffic 
> as close to the source as possible.
Mmm, probably i mentioned linux box acting as a bridge [too]. And,
probably, not to stop, but to "prevent", by setting up some policy for pps
rates.

Probably, it's possible to set up some policing on Cisco Catalyst switch,
but if linux would have some tools to do "the same", it would be better,
as for me.

And i don't like "police [rate-bps] ..." here, i like htb in the same
situation :-)

I need a kind of "police [rate-*pps*] ...", and, preferably, for linux.

:-(



It's like it's not possible, so i should review my considerations
probably.


Thank you.
> 
> -- 
> Roy-Magne Mo

-- 
  _,-=._              /|_/|
  `-.}   `=._,.-=-._.,  @ @._,
     `._ _,-.   )      _,.-'
        `    G.m-"^m`m'        Dmytro O. Redchuk


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc