FreeBSD rate limiting

[Mornincupofhate]

How would I go about rate limiting with UDP? I've been searching this for a while now.

Would I just need to keep the states for all UDP packets, and then do

$cmd 00001 allow udp from any to me 80 limit src-addr 2

[leadeater]

It's been a very long time since I've done rate limiting etc with BSD, I've done it more recently with Linux though. Generally you will want to keep state information just to reduce CPU load having to match traffic and create sessions, UDP session state is just a timeout on when traffic last matched unlike TCP which has session information inbuilt of course.

 

Just be careful rate limiting UDP traffic though, make sure the application on both ends can handle packet loss and communication integrity else your going to have a bad day. Rate limiting is just packet dropping after all, until the clients adjust sending rates (if at all).

[leadeater]

7 hours ago, Mornincupofhate said:

How would I go about rate limiting with UDP? I've been searching this for a while now.

Would I just need to keep the states for all UDP packets, and then do

$cmd 00001 allow udp from any to me 80 limit src-addr 2

Also I think that command isn't quite what your after, that would limit the number of allowed sessions that match that rule to 2. I think.

https://www.openbsd.org/faq/pf/filter.html

 

Edit:

Quote

limit {src-addr | src-port	| dst-addr | dst-port} N
	     The firewall will only allow N connections	with the same set of
	     parameters	as specified in	the rule.  One or more of source and
	     destination addresses and ports can be specified.	Currently,
	     only IPv4 flows are supported

https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports

 

You also need to send the matched traffic to pipe/queue to do the traffic shaping.

 

Quote

pipe pipe_nr
	     Pass packet to a dummynet ``pipe''	(for bandwidth limitation,
	     delay, etc.).  See	the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
	     Section for further information.  The search terminates; however,
	     on	exit from the pipe and if the sysctl(8)	variable
	     net.inet.ip.fw.one_pass is	not set, the packet is passed again to
	     the firewall code starting	from the next rule.

     queue queue_nr
	     Pass packet to a dummynet ``queue'' (for bandwidth	limitation
	     using WF2Q+)

https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports

[Mornincupofhate]

16 hours ago, leadeater said:

It's been a very long time since I've done rate limiting etc with BSD, I've done it more recently with Linux though. Generally you will want to keep state information just to reduce CPU load having to match traffic and create sessions, UDP session state is just a timeout on when traffic last matched unlike TCP which has session information inbuilt of course.

 

Just be careful rate limiting UDP traffic though, make sure the application on both ends can handle packet loss and communication integrity else your going to have a bad day. Rate limiting is just packet dropping after all, until the clients adjust sending rates (if at all).

My problem with linux is that, according to cloudflare, the kernel will only be able to do 1-2m pps max on very good hardware (correct me if I'm wrong). There's benchmarks out there with freebsd (firewall with rules set) doing 5-8m pps on a slow 8 core.

[leadeater]

27 minutes ago, Mornincupofhate said:

My problem with linux is that, according to cloudflare, the kernel will only be able to do 1-2m pps max on very good hardware (correct me if I'm wrong). There's benchmarks out there with freebsd (firewall with rules set) doing 5-8m pps on a slow 8 core.

Yea BSD should be better for that, but do you need that amount of packet performance? It also depends if your doing any hardware offloading but if you do that you lose ability to do the types of things you want to do, not without doing it upstream/downstream on a switch using DSCP.

 

You can do what you want with BSD, I know you can because I have done it. Back at uni we used BSD to simulate slow internet connections and packet loss etc.

[Mornincupofhate]

On 1/24/2017 at 2:16 AM, leadeater said:

Also I think that command isn't quite what your after, that would limit the number of allowed sessions that match that rule to 2. I think.

https://www.openbsd.org/faq/pf/filter.html

 

Edit:

https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports

 

You also need to send the matched traffic to pipe/queue to do the traffic shaping.

 

https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports

I've been looking through it, and I found out how to shape bandwidth and everything, but is it possible to limit the packets per second of a pipe? I tried doing a google search on it, but most posts are from 2008 and it "hasn't been implemented yet".

[leadeater]

10 minutes ago, Mornincupofhate said:

I've been looking through it, and I found out how to shape bandwidth and everything, but is it possible to limit the packets per second of a pipe? I tried doing a google search on it, but most posts are from 2008 and it "hasn't been implemented yet".

Not sure, bandwidth and packets per second do have a relationship. But packet storms are usually small sized and may not trigger a bandwidth shaper.

[Mornincupofhate]

On 1/27/2017 at 3:33 PM, leadeater said:

Not sure, bandwidth and packets per second do have a relationship. But packet storms are usually small sized and may not trigger a bandwidth shaper.

Do you know what packet queue does? Does it just put excess bandwidth/packets into a queue instead of dropping them?