search for: ratelimit

...se how to use Response Rate Limiting on a server which has multiple NSD server processes (nsd.conf server section has server-count > 1). We have a problem with NSD v3.2.16 repeatedly unblocking and blocking again a single source which is flooding positive queries at a ~steady 700 qps rate. rrl-ratelimit setting is the default 200 qps. The unblock-block happens multiple times a minute. This is causing false negatives: NSD bursts out 200 responses on every unblock: Nov 6 10:11:18 dnstest1 nsd[6881]: ratelimit block demo.funet.fi. type positive target 193.166.5.0/24 query 193.166.5.1 NS Nov 6 10...

Building today in git - kernel 2.6.32 (git) + nouveau (git). Failed as nouveau_irq.c doesn't include <linux/ratelimit.h> Added the include to nouveau_irq.c and was able to compile... not sure that's where it ought to go.

Let''s move this to the Shorewall Development list.... On Tuesday 10 February 2004 03:14 pm, xavier wrote: > here is a patch to allow this : > |ACCEPT<10/sec:20>:debug fw lan:$ntp_servers udp 123 - - - - ntp > > a problem with the patch is that now the logprefix is mandatory. > i''m trying to debug it, but i can''t find the flaw. Also, with

According to the F.A.Q. there''s a patch to do ratelimiting: http://etudiant.univ-mlv.fr/~jpetazzo/bytelimit.tgz Going with the thought that this is current..I tried it. I wasn''t able to get it to compile, as support for invert was causing a failure(i think). But i was able to get it to compile when I changed line 73 and my box loaded the modu...

A user reported getting spammed when moving to 3.0 by this message. Since we switched to the normal checksumming infrastructure all old free space caches will be wrong and need to be regenerated so people are likely to see this message a lot, so ratelimit it so it doesn''t fill up their logs and freak them out. Thanks, Reported-by: Andrew Lutomirski <luto@mit.edu> Signed-off-by: Josef Bacik <josef@redhat.com> --- fs/btrfs/free-space-cache.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) diff --git a/fs/...

...xample code illustrates this: int main(void) { int fd = open("/dev/dri/card0", O_RDONLY); if (fd == -1) err(1, "open failed"); for (;;) { void *m = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0); if (m != MAP_FAILED) munmap(m, 4096); } } Reduce the spamming by ratelimiting the pr_info messages. Signed-off-by: Colin Ian King <colin.king at canonical.com> --- drivers/gpu/drm/qxl/qxl_ttm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c index 7ecf8a4b9fe6..6502e699f462 100644 --...

...xample code illustrates this: int main(void) { int fd = open("/dev/dri/card0", O_RDONLY); if (fd == -1) err(1, "open failed"); for (;;) { void *m = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0); if (m != MAP_FAILED) munmap(m, 4096); } } Reduce the spamming by ratelimiting the pr_info messages. Signed-off-by: Colin Ian King <colin.king at canonical.com> --- drivers/gpu/drm/qxl/qxl_ttm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c index 7ecf8a4b9fe6..6502e699f462 100644 --...

...also because of specifics of the NSD architecture, it is an independent implementation. The implementation shares the main ideas that prevent false positives: the fallback to TCP and a fine grained (albeit different) query classification mechanism. See https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ for some of the details. RRL is not enabled by default. Although we are confident about code stability, did extensive testing, and a performed a usual beta-release cycle which gave the code exposure, the methodology is rather new and there is relatively little operational experience. You can enab...

...open failed"); > > for (;;) { > void *m = mmap(NULL, 4096, PROT_READ, > MAP_SHARED, fd, 0); > if (m != MAP_FAILED) > munmap(m, 4096); > } > } > > Reduce the spamming by ratelimiting the pr_info messages. > > Signed-off-by: Colin Ian King <colin.king at canonical.com> > --- > drivers/gpu/drm/qxl/qxl_ttm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c > inde...

On Tue, Sep 12, 2017 at 03:02:04PM +0100, Emil Velikov wrote: > That said, I'm not sure how useful the information is - perhaps it's > better to drop it all together? Or a WARN_ONCE(). regards, dan carpenter

...p->type >= cpu_to_le32(VIRTIO_GPU_RESP_ERR_UNSPEC)) { struct virtio_gpu_ctrl_hdr *cmd; cmd = (struct virtio_gpu_ctrl_hdr *)entry->buf; - DRM_ERROR("response 0x%x (command 0x%x)\n", - le32_to_cpu(resp->type), - le32_to_cpu(cmd->type)); + DRM_ERROR_RATELIMITED("response 0x%x (command 0x%x)\n", + le32_to_cpu(resp->type), + le32_to_cpu(cmd->type)); } else DRM_DEBUG("response 0x%x\n", le32_to_cpu(resp->type)); } -- 2.18.1

On Tue, Sep 12, 2017 at 03:02:04PM +0100, Emil Velikov wrote: > That said, I'm not sure how useful the information is - perhaps it's > better to drop it all together? Or a WARN_ONCE(). regards, dan carpenter

Gang, For months now, we're all seeing repeated bruteforce attempts on SSH. I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered: table <lamers> { } block quick from <lamers> to any pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 modulate state (source-track rule max-s...

...usage, but only the general use of Accept_good_source... same goes for userset... as each rule will give one iptables command, I believe there is no limitation ... Is that right ? I tried : @@ -3086,8 +3090,8 @@ fi ;; *) - [ -n "$ratelimit" ] && fatal_error \ - "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" + # [ -n "$ratelimit" ] && fatal_error \ + # "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and...

...e already done what is described on http://wiki.xenproject.org/wiki/Tuning_Xen_for_Performance It is better now but still significantly worse than with centos6 dom0 my settings: xen parameter: dom0_mem=1024M cpufreq=xen dom0_max_vcpus=2 dom0_vcpus_pin xl sched-credit Cpupool Pool-0: tslice=30ms ratelimit=1000us Name ID Weight Cap Domain-0 0 1024 0 samael 1 256 0 satan 2 512 0 amon 3 256 0 leviathan...

...uot;" zonelistfile: "/var/lib/nsd/zone.list" xfrdir: "/var/lib/nsd/tmp/" xfrd-reload-timeout: 1 log-time-ascii: yes round-robin: yes verbosity: 0 ip-address: "127.0.0.53" rrl-size: 1000000 rrl-ratelimit: 200 rrl-slip: 2 rrl-ipv4-prefix-length: 24 rrl-ipv6-prefix-length: 64 rrl-whitelist-ratelimit: 2000 zonefiles-check: yes zonefiles-write: 3600 remote-control: control-enable: yes control-port: 8952 server-key-file: "/etc...

...********** mm/page_alloc.c ************/ #define TAIL_MAPPING ((void *) 0x400 + POISON_POINTER_DELTA) diff --git a/mm/page_poison.c b/mm/page_poison.c index e83fd44..8aaf076 100644 --- a/mm/page_poison.c +++ b/mm/page_poison.c @@ -7,6 +7,12 @@ #include <linux/poison.h> #include <linux/ratelimit.h> +#ifdef CONFIG_PAGE_POISONING_ZERO +#define PAGE_POISON 0x00 +#else +#define PAGE_POISON 0xaa +#endif + static bool want_page_poisoning __read_mostly; static int early_page_poison_param(char *buf) -- 2.7.4

...********** mm/page_alloc.c ************/ #define TAIL_MAPPING ((void *) 0x400 + POISON_POINTER_DELTA) diff --git a/mm/page_poison.c b/mm/page_poison.c index e83fd44..8aaf076 100644 --- a/mm/page_poison.c +++ b/mm/page_poison.c @@ -7,6 +7,12 @@ #include <linux/poison.h> #include <linux/ratelimit.h> +#ifdef CONFIG_PAGE_POISONING_ZERO +#define PAGE_POISON 0x00 +#else +#define PAGE_POISON 0xaa +#endif + static bool want_page_poisoning __read_mostly; static int early_page_poison_param(char *buf) -- 2.7.4

On Tue, Feb 11, 2020 at 5:53 AM Joerg Roedel <joro at 8bytes.org> wrote: > > From: Joerg Roedel <jroedel at suse.de> > > Send SIGBUS to the user-space process that caused the #VC exception > instead of killing the machine. Also ratelimit the error messages so > that user-space can't flood the kernel log. What would cause this? CPUID? Something else? --Andy

People are proposing rate-limiting built into BIND, to defend against some DoS attackes (a proposal <http://fanf.livejournal.com/122111.html> and its implementation <https://github.com/fanf2/bind-9/blob/master/doc/misc/ratelimiting>). What is the current thinking for NSD? (It is a truly open question, do not take it as "this guy requires rate-limiting in NSD".)