[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ques on Diffserv on egress side only [Jamal pls read]

> > > > to prevent several case of DoS attacks but new (2.4)
> > > > kernel has support for it in it's netfilter.
> According to
> http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO-7.html
> they are slightly different. In any case, you can use ingress qdisc with
> any of the classifiers whereas that code is limited to iptables.
> It is probably time to start unifying some of these things to avoid
> some of the redundancy (although there is no redundancy here that i see)

Yes, as you can see above my reaction was to DoS attack filters.
And such thing is more clear to be in iptables - moreover QoS
ingres code works only for IP packets, doesn't it ?
(because it is called from firewall stuff)

> Maybe i misunderstood the requirement. You want to have some rate limiting
> on ingress, from BOX2, common to all customers(link1-3 on egress), if all
> are using their allocated bandwidth. If they dont, you want whoever is
> available to use their bandwidth. Is that correct?
> So this is solved by a combination of ingress marking/policing + spme
> egress action e.g slow down excess traffic etc.
> Yes, ingress queueing will also achieve this, the question is: Is it
> necessary?

yes the requirement fits. I will show you how I do it now. It works
and try to tell me how would you implement it using ingres marking,
ok ?

[ISP's cisco]->-wireless->-[INGQ][Linux]+-->--modemlink2

We will consider only packets flowing from ISP to modemlinks
(see arrows). The agreement with ISP says that we can use
rate 256kbit. When we exceed it they start limiting it by
dumb (not flow aware) dropping. So wireless link has capacity
2Mbit but we can use only 256kbit.
Modemlink[1-3] can use: link1: 128kbit, link2,3: 64kbit
When some link doesn't use it's full bw, it is assigned
to other two (proporionaly).
The solution MUST ensure that each TCP flow takes roughly
equal BW.
I do it by ingres queue [INGQ]. It is 
classfull TBF handle 1: rate 256kbit. It has WRR as child.
WRR has 3 classes with weights 1500:750:750. Each class
has SFQ as it's qdisc. The SFQ is hacked so it can have
backlog at most 3 packets for each flow.
>From my masurements it works to exactly fit requirements.
I just CAN'T find way how to do it by ingres marking only.
Have you know some ?