On Fri, Aug 03, 2001 at 01:42:06PM +0200, clemens wrote:
> this patch introduces global icmp rate limiting
> (/proc/sys/net/ipv4/icmp_ratelimit) with the ability to arbitary
> rate limit or unlimit certain icmp types (/proc/sys/net/ipv4/icmp_ratemask,
> but you better have a look at icmp.c before changing this).
If somebody is going to change the icmp rate limiting code, please take
into consideration fixing the kernel/userspace interface as well.
There was a thread about this on linux-kernel some months ago.
The basic problem is, that the values in /proc/sys/net/icmp_xxx_rate are
dependent on HZ. This is bad, because there is no way to read out HZ from
userspace (yes, there is code which tries to guess it, but that's a bad hack).
So either we have
a) HZ is not exposed to userspace _AND_ all interfaces are HZ-independent
b) HZ is exposed to userspace
But the current situation, where every sysctl.conf including icmp rate limits
just has to guess what HZ is, is from my point of view a broken interface.
And then of course I have to add (as a comment) that the functionality of
generic icmp rate limiting is replicated in iptables currently (icmp match +
limit match)... but yes, I understand that there are reasons why you don't
want to load iptables.
> clemens
--
Live long and prosper
- Harald Welte / laforge@xxxxxxxxxxxx http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
|