Darren Reed writes:> On networking-discuss, Kacheong raised the problem of the kernel
> only throttling ICMP packets on a packets-per-second basis. So the
> obvious question to me becomes, why can''t crossbow be used to
> throttle all ICMP errors?
>
> The unfortunate part of this is that classifying ICMP errors is not
> achievable with a simple bit-mask.
The current default send limit is an averge of one message every 100ms
or a burst of 10 ICMP error messages arbitrarily fast. If we bump up
to the RFC suggested 576 bytes per message, we''re talking about
roughly 45Kbps.
That''s it. It''s a trivial amount of traffic when you
don''t futz with
the existing timers.
I maintain that (a) Crossbow, with its limited flow granularity, would
not help in this instance and that (b) changing from 64 to 576 and
removing the tunable won''t actually cause any undue hardship.
If you really have a link somewhere that''ll be the target of 45Kbps
worth of ICMP errors, and that''ll melt at that rate, then I suggest
just filtering out all ICMP. That link is just too fragile.
--
James Carlson, Solaris Networking <james.d.carlson at
sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677