ble and matches the command in ping) to
call this setsockopt() and implement a "do not fragment" option.
--
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
f
On Sun, May 04, 2008 at 05:51:22PM -0400, [EMAIL PROTECTED] wrote:
> A new version of the em drivers went into the tree Friday.
Yes but it also broke kernel builds if you don't add device igb. :)
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/
uting-instance IIRC.
Instance is a good name for it. You could go with "rib" or "rt" but then
you have to explain what that means to people who don't know. :)
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbi
er
kernel implementation.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/list
On Fri, Sep 21, 2007 at 09:46:02PM +1000, Norberto Meijome wrote:
> Richard A Steenbergen <[EMAIL PROTECTED]> wrote:
>
> > Honestly, FreeBSD routing code is pretty poor as far as a modern router
> > goes. If you throw enough CPU at it you can brute force your way throu
commercial routers it
doesn't even play in the same league (even for a software-only router).
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
_
gy and on top of that
> do not even know how the implementation even works. ECMP does not solve the
> issue at hand, so stop trying to solve the issue with something that will not
> do the job at all.
Most of your post is a mix of things that are completely incorrect, or
snipits of things
On Tue, Mar 28, 2006 at 09:03:43PM -0500, Brad wrote:
> On Tue, Mar 28, 2006 at 07:20:15PM -0500, Richard A Steenbergen wrote:
> > On Tue, Mar 28, 2006 at 04:59:11PM -0500, Brad wrote:
> > > On Tue, Mar 28, 2006 at 08:56:24PM +, Baldur Gislason wrote:
> > > > Fol
bably the
person to pester about that, I know he's been doing a lot of work recently
trying to bring fbsd's routing code into the 21st century. If you're bored
and looking for something to work on outside of the routing code, I think
both fbsd and obsd's L2 ch
> couple of years.
> OR Is there any slighest possibility
If you're sure you're not going to deal with fragments, and you're ok with
violating rfc's and hacking the headers to suit your needs, why not steal
the id and/or frag offset fields?
--
Richard A Steenber
i jumbo too. There are still plenty of NICs and switches out there
with no or very half-ass jumbo support though.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
LR in 10GE. I know nothing about fbsd's level of support for SFP based
cards, but I would imagine it isn't going to be good based on the above.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC
g processed
before global. As someone who has clearly spent a lot of time trying to
un-hose fbsd's legacy network code, I'm surprised to see you on the wrong
side of that argument. :)
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12C
gt; > Athlon WinXP box (both at 100% CPU from distribfolding client:
>
> which is completely irrelevant because your winxp machine doesn't have
> the aforementioned icmp response limiter.
Can a brothah get a ping "as fast as we can get responses back" (like
Junipe
On Sun, Dec 14, 2003 at 11:29:07AM +0700, Eugene Grosbein wrote:
>
> 100*1024*1024/8/1500=8738.1(3)
SI in bits across a network is base 10, not 2 (1000 vs 1024).
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED
roperate. This is mainly used to provision metro ethernet
services where you provide a vlan per customer and they want to be able
to use their own vlans without consulting you for numbering.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net
On Fri, Nov 14, 2003 at 03:28:47PM -0500, Richard A Steenbergen wrote:
>
> You're a little off on the implementation of the layer 3 switches. They do
> not use "flows" persay, but rather their hardware destination lookups are
> not pre-programmed. This means that whe
RIB becomes one of the worst implementations you can use (for
only insertions, deletions, and exact matches). If you're making a router,
this is certainly the way to go, but for a host I suspect you're probably
going to end up stuck with a toggle switch and a patricia rib for a while
de of the
world... Or maybe it's unfair that you pay so little for that longhaul
traffic, and they're just giving you a lower price becaue they assume
you'll do some local traffic and it will all average out.
--
Richard A Steenbergen <[EMAI
desire
full end to end reachability "most of the time", and just want to prevent
some DoS, a rate limit is probably more useful.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC
ess you have a
REALLY low end router :P).
But if the point of this discussion is to protect the hosts from falling
over, then the network must be able to deliver a sufficiently large
attack.
And nothing sucks quite like watching a GSR fall over under a 20Mbit SYN
flood. :)
--
Richard A Steenbergen
es to strike. Protecting your network
infrastructure is certainly the next place to go after you protect your
high-target hosts.
For some examples, see http://www.e-gerbil.net/ras/projects/dos/dos.txt
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key
your needs, or
better yet (since you obviously don't mind a fbsd specific hack) just use
bpf yourself (and you get bpf write functionality too :P).
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C
make it pcap-user tunable, the comment even says so, but until
they do... Well it should be really really simple to add a hook for
changing it, if you wanted to try submitting it to the pcap folks. :)
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x
unately, the performance
impact of doing radix tree lookups for a full routing table to filter this
way would probably be worse than not filtering at all. While any device
which calls itself a modern router SHOULD have this functionality, I think
there are more important things to fix fi
re.
>
> Is there a way?
sysctl net.inet.icmp.bmcastecho=0 has been the default since... well since
smurf came out. :)
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
To Unsubscribe:
e 10.0.0.0/9 and 10.128.0.0/9.
That is not a longest prefix match, this is an exact match.
> Where? Do you mean rt_metrics?
Yes.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6
eous amounts of memory consumed by the caching
mechanism.
Oh, and it should be able to support multiple nexthops per prefix, and
load balance across them. I think even Linux has this support now, and an
actual FIB.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil
se 15
> years ago to have pointers from the INPCBs directly to the route node
> and the if-structures doing the same and vice versa, but today it's
> simply messy.
Indeed.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177
t gut the current radix tree and fast-switch like route-cache
system, and replace it with something optimized for fast insertions and
deletions (and FIB building) but not longest prefix matching for the RIB,
and a 4 level 8-bit mtrie (seems to work best for PC hardware) for the
FIB.
--
Richard A S
As someone who has actually written a BGP implementation from scratch, let
me be the first to tell you that you are full of shit. BGP is a very
complex beast, and Juniper has spent a good amount of time making what is
without a doubt the most powerful BGP implementation currently available.
--
R
is totally frozen.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
cpdump. Adding these
> flags would require extending the bpf API. They couldn't be added for
> the default case, because that would break compatibility with other
> applications. They'd have to be enabled specifically, by means of a
> new ioctl.
You could always just add
ually implements this though.
>
> Don't forget to add EIGRP and CDP to the list. -sc
Woops, I ment the "cisco only"isms related to link aggregation. One could
list Cisco proprietary protocols that don't work with other vendors for
days and still not get them all. :)
--
Richar
because
the dumb switch didn't know how to do linkagg, but in that case it
wouldn't really matter.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
er 3/4 headers around. Or perhaps it should be entirely
kernel based for simple NAT, but with a hook for a userland program that
could snarf the headers and make decisions if needed/wanted.
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (
device you're connected to
because often times its inability to transmit the packet. Were both cards
connected to the same device outputting to the same destination under the
same lan conditions?
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras
PGP Key ID: 0x138
nt of data in
the snd sockbuf and thus the size of the tcp window which can be fast
recovered in the event of packet loss, but if done correctly and with a
semi accurate guess at the rate of drain it could be useful. kevent
filter?
If sendfile() was in effect aio_sendfile(), it would be even
16 connections closed (including 36674703 drops)
6369861 connections updated cached RTT on close
6369861 connections updated cached RTT variance on close
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177 (67 29 D
Memory statistics by type Type Kern
Type InUse MemUse HighUse Limit Requests Limit Limit Size(s)
routetbl728180102400K 102401K102400K 73822480 0 16,32,64,128,256
100MB in use by the routing table? There are only 6 routes... :P
--
Richard A
On Wed, 13 Dec 2000, Mike Silbersack wrote:
> On Wed, 13 Dec 2000, Richard A. Steenbergen wrote:
>
> > > Hm, true. I was thinking of limiting the outgoing side, which would mean
> > > ipfw comes later in the string, but I suppose that if you limit on the
>
On Wed, 13 Dec 2000, Mike Silbersack wrote:
> On Wed, 13 Dec 2000, Richard A. Steenbergen wrote:
>
> > Is there some specific reason you need timestamp seperate? If you're
> > really up for that, why not just limit each ICMP type seperately?
>
> There's no r
ld
be seperate limits at some fundimental level, such as tcp-closed tcp-open
udp(closed) icmp-response and icmp-error. How much further you want to
push it is debatable mainly just because of the hastle of too many
unnecessary tunables, not for any real performance or memory reasons.
--
Richard A
a listener" (or open
port, whatever floats the boat) and be done with it. The major goal of
this code would seem to be to provide simple but fairly useful protection
against common attacks out of the box, not to provide analysis of the
attacks (since no useful analysis can be performed witho
reason to put ICMP Timestamp
in a seperate queue, but what I would recommend is seperate queues for
ICMP messages which would be defined as "query/response" and those which
would be called "error" messages. If someone needs more specific
protection they can use dummynet.
Just a
45 matches
Mail list logo
