[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SYN policing using ingress qdisc

I am using the SYN-DoS.rate.limit script listed in the examples directory
in iproute2
package  to setup SYN policing. But it doesn't seem to work as expected.

The commands executed are as follows:
iptables -A PREROUTING -i eth1 -t mangle -p tcp --syn -j MARK --set-mark 1
tc qdisc add dev eth1 handle ffff: ingress
tc filter add dev eth1 parent ffff: protocol ip prio 50 handle 1 fw police
rate 1kbit
burst 40 mtu 9k drop flowid:1

With the above configuration, incoming SYNs should be restricted to 3/sec
per the comments in the script. But it is not happening eventhough  the
rate of
SYNs is exceeding much beyond the 3 packets.

When i reduce the mtu to 7k, every SYN is getting dropped and the overlimit
counter is getting increased as seen with the tc -d -s option.

I am using 2.4 kernel and the latest iproute2 001007 on a pentium 260mhz

I have a few questions about the options passed to tc filter.
1. How does mtu change the behaviour of policing?
2. Is it possible to have a burst value of 0?

Also i noticed the following piece of code in  the tc code in the file

if (p.rate.rate && !buffer) {
     fprintf(stderr, "\"burst\" requires \"rate\".\n");
     return -1;

I guess the above if stmt should be
     if (buffer && !p.rate.rate)