Page MenuHomeVyOS Platform
Create Task
Maniphest T4557

fastnetmon: allow configure limits per protocol (tcp, udp, icmp)
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Fastnetmon allows configurin limits per protocol like this:

threshold_tcp_mbps = 100000
threshold_udp_mbps = 100000
threshold_icmp_mbps = 100000

threshold_tcp_pps = 100000
threshold_udp_pps = 100000
threshold_icmp_pps = 100000

ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off

ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off

Can this be off interest to do the work and add it to vyos?

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

aalmenar created this task.Jul 21 2022, 7:07 PM
aalmenar created this object in space S1 VyOS Public.
aalmenar updated the task description. (Show Details)
Viacheslav added a project: VyOS 1.4 Sagitta.Jul 22 2022, 12:51 AM
Viacheslav changed the subtype of this task from "Task" to "Feature Request".
pasik added a subscriber: pasik.Jul 22 2022, 5:32 PM
Viacheslav added a subscriber: Viacheslav.Sep 6 2022, 9:13 AM

As we have threshold it seems require migration threshold => threshold general

vyos@r14# set service ids ddos-protection threshold 
Possible completions:
   fps                  Flows per second
   mbps                 Megabits per second
   pps                  Packets per second

New proposed syntax:

vyos@r14# set service ids ddos-protection threshold general
Possible completions:
   fps                  Flows per second
   mbps                 Megabits per second
   pps                  Packets per second

vyos@r14# set service ids ddos-protection threshold tcp|udp|icmp
Possible completions:
   fps                  Flows per second
   mbps                 Megabits per second
   pps                  Packets per second
Viacheslav changed the task status from Open to In progress.Sep 6 2022, 9:14 AM
Viacheslav claimed this task.
Viacheslav added a comment.EditedSep 16 2022, 4:31 PM

PR https://github.com/vyos/vyos-1x/pull/1545
PR https://github.com/vyos/vyatta-cfg-system/pull/185

set service ids ddos-protection direction 'in'
set service ids ddos-protection listen-interface 'eth1'
set service ids ddos-protection mode mirror
set service ids ddos-protection threshold general fps '1000'
set service ids ddos-protection threshold general mbps '200'
set service ids ddos-protection threshold general pps '150000'
set service ids ddos-protection threshold tcp fps '25'
set service ids ddos-protection threshold tcp mbps '55'
set service ids ddos-protection threshold tcp pps '155'
set service ids ddos-protection threshold udp fps '100'
set service ids ddos-protection threshold udp mbps '100'
set service ids ddos-protection threshold udp pps '100'
set service ids ddos-protection threshold icmp fps '200'
set service ids ddos-protection threshold icmp mbps '210'
set service ids ddos-protection threshold icmp pps '2040'

Expected fastnermon config entries:

# General threshold
ban_for_flows = on
threshold_flows = 1000
ban_for_bandwidth = on
threshold_mbps = 200
ban_for_pps = on
threshold_pps = 150000

# TCP threshold
ban_for_tcp_flows = on
threshold_tcp_flows = 25
ban_for_tcp_bandwidth = on
threshold_tcp_mbps = 55
ban_for_tcp_pps = on
threshold_tcp_pps = 155

# UDP threshold
ban_for_udp_flows = on
threshold_udp_flows = 100
ban_for_udp_bandwidth = on
threshold_udp_mbps = 100
ban_for_udp_pps = on
threshold_udp_pps = 100

# ICMP threshold
ban_for_icmp_flows = on
threshold_icmp_flows = 200
ban_for_icmp_bandwidth = on
threshold_icmp_mbps = 210
ban_for_icmp_pps = on
threshold_icmp_pps = 2040
Viacheslav changed the task status from In progress to Needs testing.Sep 27 2022, 7:31 AM
Viacheslav closed this task as Resolved.Sep 27 2022, 12:52 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
Viacheslav added a comment.Sep 28 2022, 3:09 PM

PR https://github.com/vyos/vyos-1x/pull/1565