[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ques on Diffserv on egress side only [Jamal pls read]

> > to prevent several case of DoS attacks but new (2.4)
> > kernel has support for it in it's netfilter.
> You mean apart from ingress qdisc?

yes. new firewall code can select packets not only
by their content but also can measure their rate.
For example:
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
see also --limit-burst

> > is your router which has this setup:
> >                                    ---->--link1
> > [Box1]-->--link-->--[Queues][Box2]-+--->--link2
> >                                    ---->--link3
> >
> So does it make a difference if you do:
>                                     ---->--link1
> [Box1]-->--link-->--[Box2][Queues] -+--->--link2
>                                     ---->--link3
> ?
> I am almost (99%) sure it doesnt. I'll give you the 1%.

thanks for 1% chance ;-). Yes it WOULD be the same. but
your proposal can't be done in linux. Instead linux will
to it in this way:

There is no posibility to have common queue for multiple
output ifaces.
So I solved it by theorem you already said: it is the
same to have common queue for multiple ifaces or to have
ingres queue.
Implement common queue for two ifaces is very complex task
(almost unrealisable) but implementing ingres queue is simple.
> -> DMA -> backlog_queue -> Devik's_ingress_queue_here -> egress_queue).
> As you can see above, delaying them at the Devik's_ingress_queue_here or
> egress_queue would not make a difference. This is a shared bus media and

Yes but I'm not doing it for timing reasons or because I just
like to have queue at ingres. I only want to implement pictures
above - to have one queue for some aggregate flow. It is hack
but it is probably only way how to do it.
Is is more clear now ? have you another ide how to implement them ?

regards, devik