[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SYN policing using ingress qdisc

To: linux-diffserv@lrc.di.epfl.ch
Subject: SYN policing using ingress qdisc
From: samudrala@us.ibm.com
Date: Tue, 23 Jan 2001 17:21:45 -0800
Delivery-date: Wed, 24 Jan 2001 03:37:54 +0200
Envelope-to: archive@lists.atm.tut.fi
Sender: owner-linux-diffserv@lrc.epfl.ch



I am using the SYN-DoS.rate.limit script listed in the examples directory
in iproute2
package  to setup SYN policing. But it doesn't seem to work as expected.

The commands executed are as follows:
iptables -A PREROUTING -i eth1 -t mangle -p tcp --syn -j MARK --set-mark 1
tc qdisc add dev eth1 handle ffff: ingress
tc filter add dev eth1 parent ffff: protocol ip prio 50 handle 1 fw police
rate 1kbit
burst 40 mtu 9k drop flowid:1

With the above configuration, incoming SYNs should be restricted to 3/sec
as
per the comments in the script. But it is not happening eventhough  the
rate of
SYNs is exceeding much beyond the 3 packets.

When i reduce the mtu to 7k, every SYN is getting dropped and the overlimit
counter is getting increased as seen with the tc -d -s option.

I am using 2.4 kernel and the latest iproute2 001007 on a pentium 260mhz
m/c
PSCHED_CLOCK_SOURCE is defined as PSCHED_CPU.

I have a few questions about the options passed to tc filter.
1. How does mtu change the behaviour of policing?
2. Is it possible to have a burst value of 0?

Also i noticed the following piece of code in  the tc code in the file
m_police.c

if (p.rate.rate && !buffer) {
     fprintf(stderr, "\"burst\" requires \"rate\".\n");
     return -1;
}

I guess the above if stmt should be
     if (buffer && !p.rate.rate)


Thanks
Sridhar

Follow-Ups:
- Re: SYN policing using ingress qdisc
  - From: Rui Prior

Prev by Date: fw filter
Next by Date: Re: SYN policing using ingress qdisc
Previous by thread: DiffServ with 2.2.16
Next by thread: Re: SYN policing using ingress qdisc
Index(es):
- Date
- Thread