On Monday 2010-03-22 18:16, Patrick McHardy wrote: >> >> I used brctl to build the bridge. The DoS machine has a custom built >> tool that allows me to send small packets at very fast rates. I've >> discovered that bridging still works reliably at around 300 kpackets/s >> (notice the 'k' in there). However, as said before, I was trying to >> limit the amount of packets/s, so I used netfilter's hashlimit module. >> This is when packet drops started to appear. >> >> At around 300 kpps, the amount of packet drops is 40 kpps. For me, this >> amount is too significant to ignore. I see the load average go from a >> comfortable 0.00 to 1.78, mainly caused by ksoftirqd processes. At 200 >> kpps, the average amount of packet drops is 23 kpps. At 100 kpps, it's >> still 2 kpps. >A couple of suggestions: > >- try the limit module in case you don't actually need per-source/dest etc. > limiting but just a global limit The token-per-jiffy math logic used in xt_limit and some other modules is known to be inaccurate at high speeds. My suggestion is therefore to try xt_rateest instead which has a somewhat different logic. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
