extended limit definitions

[arlake228]

From @arlake228 on March 14, 2015 12:22

Original issue 930 created by arlake228 on 2014-06-11T14:04:28.000Z:

Right now the limits file for bwctl allows for restricting users to a particular amount of throughput or disk. A useful addition to this would be adding the ability to restrict the number of tests a particular user or source is able to run in a given timeframe. Some examples in plain English would be:

192.168.13.0/24 can only run 1 bwctl per hour 140.182.44.26/32 can run no more than 10 tests in a 24 hour period.

The desired goal of this would be to prevent nodes that are set up for ad hoc testing from being continuously tested against by a small amount of users thus delaying or making other users’ tests not runnable.

This might not be used too frequently but would be a means to help administrators keep their hosts from being slammed by a particular user either maliciously or inadvertently.

Copied from original issue: perfsonar/project#928

[arlake228]

Comment #1 originally posted by arlake228 on 2015-01-27T14:51:00.000Z:

<empty>

[arlake228]

Comment #2 originally posted by arlake228 on 2015-01-30T19:51:34.000Z:

Issue 943 has been merged into this issue.

[arlake228]

Another request is to limit which tools can run on which interfaces. The following was requestsed from Murilo Vetter:

I am wondering if there is a way to configure BWCTL limits to limit bwctl to anwers to one specific interface to ping and to another specific interface to traceroute, for example. I was thinking that there would be a way to do it by bwctl limits. Do you know if that is possible?

[HakanCalimFau]

Here is a suggestion in bwctl 2.0 limits for test per hour and allow interfaces: <class "root_users">

No parent class

# Applies to all tests
<default_limits>
    duration     60
    bandwidth    100M
    allow_tests_per_hour    3 # 3600 sec / 3 > allow every  20 min a test
</default_limits>

# Applies to all throughput tests (i.e. iperf, iperf3, nuttcp), overriding
# the defaults. Note: unlike in the previous syntax, you can go above the
# defaults.
<limits "throughput">
    duration      30
    bandwidth     10G
    allow_udp_throughput     on
    allow_local_interfaces  [127.0.0.1,a.b.x.y] # Allow tests from this interfaces
</limits>

# Applies to all latency tests (i.e. ping and owamp).
<limits "latency">
    # Only permit latency tests of 100 pps or less
    packets_per_second      100
    allow_local_interfaces  [c.d.e.f] # Allow tests from this interfaces
</limits>

[arlake228]

The overall idea is correct but one syntax change: Apache config format has you define lists by specifying the property multiple times. That means the proper way to allow multiple interfaces would be something like:

<limits "throughput">
    duration      30
    bandwidth     10G
    allow_udp_throughput     on
    allow_local_interface  127.0.0.1
    allow_local_interface  a.b.x.y
</limits>

[HakanCalimFau]

OK. I can add this to limits by the end of next week.

[arlake228]

Hakan, before you do anything, why don't you and I schedule a meeting to talk. I'd like to discuss the overall limits code before we go much further. We can figure out details over email.

[igarny]

Guys some comments from my side:

I support the request from Murilo, but in another aspect (at least not with traceroute involved). Since the idea is to transition to bwping for latency tests and if I am not completely misunderstanding it here. port 4823 would be shared for both performance tests: OWD and throughput.

1) I would like to be able to designate interfaces to specific measurements and to block incoming requests that are not designated on this interface.

<limits "throughput"> ............... ................. allow_local_interface 127.0.0.1 allow_local_interface a.b.x.y

<limits "owd"> ............... ................. allow_local_interface 127.0.0.1 allow_local_interface a.b.x.y

Probably Murilo would define it:

<limits "traceroute"> ............... ................. allow_local_interface 127.0.0.1 allow_local_interface a.b.x.y

2) I see Andy is already considering the case where multiple interfaces are assigned to specific services. https://github.com/perfsonar/bwctl/issues/12 Probably the ticket should be redirected to here.

<limits "throughput"> duration 30 bandwidth 10G allow_udp_throughput on allow_local_interface 127.0.0.1 allow_local_interface a.b.x.y

3) Please also for the implementation consider distinguishing cases where a physical interface is shared between multiple virtual interfaces. in case with eth0 and eth1. I am open for other solutions as well.

<limits "throughput"> ............... ................. allow_local_interface 127.0.0.1 allow_local_interface eth0:a.b.x.y allow_local_interface eth0:a.x.y.b allow_local_interface eth0:a.b.y.x

allow_local_interface  eth1:z.z.z.y

4) As a comment only: In the example from Andy I do not see a rate limiter in number of tests being initiated. I am not that much worried about it, since there are already solutions (fail2ban for instance), that can deal with this problem.

Best regards, Ivan

[arlake228]

1) I think that's maybe what is already proposed? or is your suggestion that you'd like to be able to split to "throughput", "latency" and "traceroute" types so you can limit specifically on the tool used (e.g. owamp, ping, iperf, iperf3, traceroute, tracepath, etc)?

2) Issue #12 is separate. That is about binding the interfaces the control port (port 4823) listens on. This is about authorizing which interfaces different types of tests are allowed to test to. The control channel and data channels are separate in BWCTL.

3) What is already proposed should handle this. Every interface (virtual or physical) should have an IP address. I don't believe adding the interface provides any additional information since you can't have two interfaces with the same of address and expect basic IP routing to still work.

4) I agree we should explore rate limiting more. I don't think Hakan needs to do that as part of his work limiting by interface since it's orthogonal, but definitely something we need to look at going forward.

[igarny]

Hakan, please ignore point 3 of my request. I am going to open it as another issue. Also as Andy defined it point 4 is also to be ignored.

[HakanCalimFau]

Added limits allow_local_interface and test_frequency. Test frequency allow at the moment only integers. The idea of Aaron was to use something like this: test_frequency 4/24h

means 4 tests a day. Do we need more letters to describe test frequency?

Need some more tests for checking limits with server.

[mfeit-internet2]

ISO 8601 defines a standard format for durations. I would advise using that instead of rolling your own, as there will be libraries available to parse/unparse it. Most databases with an INTERVAL type understand it, too, which will be useful if we ever go that way.

[mfeit-internet2]

(Sorry, whacked the wrong button.)