From: Thomas Graf <tgraf@suug.ch>
To: Jamal Hadi Salim <hadi@znyx.com>
Cc: netdev@oss.sgi.com, Nguyen Dinh Nam <nguyendinhnam@gmail.com>,
Remus <rmocius@auste.elnet.lt>, Andre Tomt <andre@tomt.net>,
syrius.ml@no-log.org, Andy Furniss <andy.furniss@dsl.pipex.com>,
Damion de Soto <damion@snapgear.com>
Subject: Re: dummy as IMQ replacement
Date: Mon, 31 Jan 2005 14:58:10 +0100 [thread overview]
Message-ID: <20050131135810.GC31837@postel.suug.ch> (raw)
In-Reply-To: <1107123123.8021.80.camel@jzny.localdomain>
> 2) Allows for queueing incoming traffic for shaping instead of
> dropping. I am not aware of any study that shows policing is
> worse than shaping in achieving the end goal of rate control.
> I would be interested if anyone is experimenting. Nevertheless,
> this is still an alternative as opposed to making a system wide
> ingress change.
Agreed, the problem should be solved on egress by delaying ACKs
so the other side's congestion control slows down. I still don't
have a solution which works for all ip stacks and ended up tuning
parameters based on TTL numbers guessing the operating system.
For me, the purpose of ingress policing is to apply some policy for
control datagrams and other unwanted traffic. One example would be
dropping echo requests comming from nmap which reduces egress
bandwidth consumption by 13% my border routers.
tc filter add dev $DEV parent ffff: protocol ip prio 10 \
u32 match u32 0x10000 0xff0000 at 8 \
match u32 0x1c 0xffff at 0 \
match u32 0x8000000 0xf000000 at 20 \
police mtu 1 drop flowid :1
I should convert this to actions at some point ;->
> --> Instead the plan is to have a contrack related action. This action
> will selectively either query/create contrack state on incoming packets.
> Packets could then be redirected to dummy based on what happens -> eg
> on incoming packets; if we find they are of known state we could send to
> a different queue than one which didnt have existing state. This
> all however is dependent on whatever rules the admin enters.
We could also do it in the meta ematch but this relies on the packet
already having passed the conntrack code. How do you plan to do this
in ingress?
> tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
> match ip src 192.168.200.200/32 flowid 1:2 \
> action police rate 10kbit burst 90k drop \
> action mirred egress mirror dev dummy0
This is extremely useful. I'm not sure but I think you also had plans
to allow mirroring to userspace?
> My goal here is to start a discussion to see if people agree this is
> a good replacement for IMQ or whether to go another path.
Sounds good to me. No complains from my side. I'll have a closer look
at the patch later on.
next prev parent reply other threads:[~2005-01-31 13:58 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-30 22:12 dummy as IMQ replacement Jamal Hadi Salim
2005-01-31 8:20 ` Hasso Tepper
2005-01-31 12:25 ` jamal
2005-01-31 12:38 ` Hasso Tepper
2005-01-31 12:47 ` jamal
2005-01-31 13:02 ` Hasso Tepper
2005-01-31 13:28 ` Thomas Graf
2005-01-31 13:45 ` jamal
2005-01-31 14:06 ` Thomas Graf
2005-01-31 14:29 ` jamal
2005-01-31 13:39 ` jamal
2005-01-31 14:14 ` Hasso Tepper
2005-01-31 14:25 ` jamal
2005-01-31 14:46 ` Hasso Tepper
2005-01-31 15:34 ` jamal
2005-01-31 18:00 ` Lennert Buytenhek
2005-01-31 20:08 ` jamal
2005-01-31 13:58 ` Thomas Graf [this message]
2005-01-31 14:19 ` jamal
2005-01-31 15:15 ` Thomas Graf
2005-01-31 15:40 ` jamal
2005-01-31 15:59 ` Thomas Graf
2005-01-31 16:40 ` jamal
2005-01-31 18:15 ` Thomas Graf
2005-01-31 20:18 ` jamal
2005-01-31 22:53 ` Thomas Graf
2005-02-01 12:02 ` jamal
2005-02-01 12:51 ` Thomas Graf
2005-02-01 13:13 ` jamal
2005-02-01 22:44 ` Thomas Graf
2005-02-02 14:24 ` jamal
2005-02-02 15:40 ` Thomas Graf
2005-02-02 15:55 ` Thomas Graf
2005-01-31 20:28 ` David S. Miller
2005-02-01 1:02 ` Andy Furniss
2005-02-01 13:31 ` Thomas Graf
2005-02-01 15:03 ` Andy Furniss
2005-02-02 13:28 ` Thomas Graf
2005-01-31 16:27 ` Andre Correa
2005-01-31 16:51 ` Jamal Hadi Salim
2005-01-31 22:39 ` Andy Furniss
2005-02-01 11:49 ` jamal
2005-02-01 14:53 ` Andy Furniss
2005-02-02 14:05 ` jamal
2005-02-04 0:33 ` Andy Furniss
2005-02-01 11:32 ` Andy Furniss
[not found] ` <0fcf01c5077f$579e4b80$6e69690a@RIMAS>
[not found] ` <1107174142.8021.121.camel@jzny.localdomain>
2005-03-09 14:30 ` Remus
2005-03-09 14:38 ` jamal
2005-03-10 1:06 ` Jamal Hadi Salim
2005-03-10 9:18 ` Remus
2005-03-10 11:22 ` jamal
2005-03-19 1:09 ` Andy Furniss
2005-03-19 1:45 ` jamal
2005-03-19 10:23 ` Andy Furniss
2005-03-20 13:20 ` jamal
2005-03-20 13:55 ` jamal
2005-03-20 18:31 ` jamal
2005-03-21 22:08 ` Andy Furniss
2005-03-21 13:14 ` iptables breakage WAS(Re: " jamal
2005-03-21 21:50 ` Andy Furniss
2005-03-21 22:41 ` jamal
2005-03-22 1:15 ` Andy Furniss
2005-03-22 3:31 ` jamal
2005-03-22 21:09 ` Andy Furniss
2005-03-23 3:57 ` jamal
2005-03-23 19:33 ` Andy Furniss
2005-03-23 19:45 ` jamal
2005-03-23 20:53 ` Andy Furniss
2005-03-23 21:07 ` jamal
2005-03-23 22:46 ` Andy Furniss
2005-03-23 23:12 ` Andy Furniss
2005-03-24 0:34 ` jamal
2005-03-24 1:00 ` Andy Furniss
2005-03-24 0:53 ` jamal
2005-03-24 1:08 ` Andy Furniss
2005-03-24 11:32 ` jamal
2005-03-24 11:57 ` jamal
2005-03-24 15:41 ` Andy Furniss
2005-03-25 11:13 ` jamal
2005-03-25 12:39 ` jamal
2005-03-25 17:27 ` Patrick McHardy
2005-03-25 18:34 ` jamal
2005-03-25 19:01 ` Patrick McHardy
2005-03-25 20:07 ` Patrick McHardy
2005-03-25 20:31 ` jamal
2005-03-25 20:37 ` Patrick McHardy
2005-03-25 20:54 ` jamal
2005-03-25 21:23 ` Patrick McHardy
2005-03-25 19:08 ` jamal
2005-03-25 19:22 ` jamal
2005-03-25 19:59 ` Andy Furniss
2005-03-25 20:09 ` Patrick McHardy
2005-03-25 20:42 ` Andy Furniss
2005-03-25 20:10 ` jamal
2005-03-25 20:18 ` Patrick McHardy
2005-03-25 20:45 ` jamal
2005-03-25 21:10 ` Patrick McHardy
2005-03-25 21:57 ` jamal
2005-03-25 20:20 ` Thomas Graf
2005-03-25 20:48 ` jamal
2005-03-25 21:01 ` Thomas Graf
2005-03-25 21:48 ` jamal
2005-03-25 22:03 ` Thomas Graf
2005-03-25 22:20 ` jamal
2005-03-25 20:39 ` Patrick McHardy
2005-03-25 20:55 ` jamal
2005-03-25 21:00 ` Patrick McHardy
2005-03-25 21:44 ` jamal
2005-03-25 21:18 ` Andy Furniss
2005-03-25 22:12 ` IMQ again WAS(Re: " jamal
2005-03-25 23:26 ` Andy Furniss
2005-03-27 19:35 ` Andy Furniss
2005-03-28 13:39 ` Andy Furniss
2005-03-28 13:45 ` jamal
2005-03-28 13:55 ` Andy Furniss
2005-03-28 14:08 ` jamal
2005-03-28 13:57 ` jamal
2005-03-28 14:12 ` Andy Furniss
2005-03-28 14:20 ` jamal
2005-03-28 14:28 ` Andy Furniss
2005-03-28 14:36 ` Andy Furniss
2005-03-28 15:24 ` Andy Furniss
2005-03-28 19:27 ` jamal
2005-03-28 20:13 ` Andy Furniss
2005-03-23 1:31 ` Patrick McHardy
2005-03-23 4:01 ` jamal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050131135810.GC31837@postel.suug.ch \
--to=tgraf@suug.ch \
--cc=andre@tomt.net \
--cc=andy.furniss@dsl.pipex.com \
--cc=damion@snapgear.com \
--cc=hadi@znyx.com \
--cc=netdev@oss.sgi.com \
--cc=nguyendinhnam@gmail.com \
--cc=rmocius@auste.elnet.lt \
--cc=syrius.ml@no-log.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).