IPFWTHROTTLE(8) BSD System Manager's Manual IPFWTHROTTLE(8)NAMEipfwthrottle - throttle IP packet flows
SYNOPSISipfwthrottle [-ASDnv] [-b buckets] [-m mask] [-s serial] [-t when] [-T
tag] [-x max] [packets/seconds]
DESCRIPTION
The ipfwthrottle utility is used limit the number of packets per second
for a given class of IP packets. For instance, it may be used to limit
the number of SMTP sessions between a pair of hosts to 25 each minute, or
the number of DNS requests from a given host to 50 per second. This is
different from ipfwrate(8), which limits the bit rate at which packets
may depart the system.
Each instance of a throttle filter, a cache of sessions is maintained. A
hash function is applied to choose a bucket and a linked list is used
from there to find the correct entry. A session is defined by one or
more of the following: source IP address, destination IP address, source
port, and destination port. By default only the source and destination
IP addresses are used.
A throttle filter is always installed on the call filter point (see
ipfw(8)).
With no arguments (options only), statistics about the sessions being
throttled are displayed.
If the single packets/second argument is provided, it specifies how many
packets may be sent in the given span of time. Note that 5/1 and 50/10
are different. 5/1 says up to 5 packets may be sent in a space of 1 sec-
ond. 50/10 says up to 50 packets may be sent in the space of 10 seconds,
and all 50 packets might be in the fraction of the first second, followed
by nearly 10 seconds of no packets allowed.
The following options are available:
-A Ignore the addresses when determining the session.
-b buckets
Set the number of hash buckets to be used to buckets. The default
setting of 997 is probably good for most situations. If you are
expecting a large number of simultaneous sessions you may want to
increase this value. The value should be reasonably prime. To
support about 50,000 sessions a value of 9977 would probably work
fine.
-D Only use the destination IP address for determining the session.
-m mask
Use the bits specified by mask in the first 4 bytes of IP data to
further qualify this session (beyond the source and destination
addresses). This is mainly used for TCP and UDP. Use 0x0000ffff
for destination port only, 0xffff0000 for source port only and
0xffffffff for both destination and source ports. The default is
0, i.e., the IP data is ignored.
-n Do not sort output when displaying.
-S Only use the source IP address for determining the session.
-s serial
Display only the information for the specified serial number.
-t when
Expire all sessions that are older than when seconds. Times may
be modified with s, m, h, d, w, and y to specify seconds, min-
utes, hours, days, weeks and years. For example: 1m30s is 1
minute and 30 seconds. A year is always considered to have 365
days.
-T tag Specify the tag to be used. If this is not specified then a tag
will be generated by the system. It is almost always wrong to
not specify a tag as the tag is how other filters specify the
throttle filter.
-v Provide additional information while running.
-x max Limit set the maximum number of entries to max. If more than max
entries are needed the oldest entries are removed to make room
for the new entries.
HOW TO USE
Multiple throttle filters may be used and they may be called at different
filtering points. The most common filter points are input and forward
(see ipfw(8)). A single throttle filter may filter multiple types of
connections, however, only a single rate can be applied and the protocol
is not considered. In general you should have a new throttle filter for
each IP protocol being examined. This example will assume the site is
throttling SMTP and DNS requests into the local machine. It wants to
limit the SMTP requests to 25 per minute and the DNS requests to 50 per
second. The following two commands would be issued:
ipfwthrottle-m 0xffffffff -T SMTP-throttle 25/60
ipfwthrottle-m 0xffffffff -T DNS-throttle 50/1
An input filter is then constructed which contains the code fragment:
tcp && dstport(smtp/tcp) && !established && !call("SMTP-throttle") {
reject;
}
udp && dstport(domain/udp) && !call("DNS-throttle") {
reject;
}
In each case, the standard IPFW language is used to determine if the
packet should be subject to throttling. Once it is determined that this
packet type is subject to throttling the throttle filter is called. If
the filter does not return success we reject the packet (the throttle
filter returns a true value if the packet should be allowed and a false
value if it should not be allowed.)
SEE ALSO
ipfw(8,)ipfwcmp 8
Dec 1, 1999 2