Going to another example.
If I wanted that each authentication (username and password) in captive
portal, set up rules limiting the speed of the user's IP, as I do? I can
create two rules for the in / out for each user associated with a pipe?
When simulating this with a script adding hundreds of rules, the latency
also increases, as resolve this ?
Adrian Chadd escreveu:
You'd almost certainly be better off hacking up an extension to ipfw
which lets you count a /24 in one rule.
As in, the count rule would match on the subnet/netmask, have 256 32
(or 64 bit) integers allocated to record traffic in, and then do an
O(1) operation using the last octet of the v4 address to map it into
this 256 slot array to update counters for.
It'd require a little tool hackery to extend ipfw in userland/kernel
space to do it but it would work and be (very almost) just as fast as
a single rule.
2c,
Adrian
2009/4/23 Daniel Dias Gonçalves <d...@yan.com.br>:
Hi,
My system is a FreeBSD 7.1R.
When I add rules IPFW COUNT to 254 IPS from my network, one of my interfaces
increases the latency, causing large delays in the network, when I delete
COUNT rules, everything returns to normal, which can be ?
My script:
ipcount.php
-- CUT --
<?
$c=0;
$a=50100;
for($x=0;$x<=0;$x++) {
for($y=1;$y<=254;$y++) {
$ip = "192.168.$x.$y";
system("/sbin/ipfw -q add $a count { tcp or udp } from any to
$ip/32");
system("/sbin/ipfw -q add $a count { tcp or udp } from $ip/32
to any");
#system("/sbin/ipfw delete $a");
$c++;
$a++;
}
}
echo "\n\nTotal: $c\n";
?>
-- CUT --
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.static_count: 262
net.inet.ip.fw.dyn_max: 10000
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_buckets: 10000
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.debug: 0
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.enable: 1
net.link.ether.ipfw: 1
net.link.bridge.ipfw: 0
net.link.bridge.ipfw_arp: 0
Thanks,
Daniel
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
