> I have an SFQ with max queue size 128 and very low rate, say about > 1 packet/sec that I use to limit the rate of SYN's. > Now as part of a test I send a syn flood, say 200 packets in one > second. In that first second SFQ drops 200-128 but the time limit > won't drop any more on enqueue. Now we're sending one packet/sec > and I try to open a tcp connection. > Suppose the age limit is 5 sec. and we drop on enqueue only. > If I try to open the tcp connection 3 sec after the flood, none of the > 124 or so packets in the queue has expired and it's going to take 2 > min. for my syn to get through. Whereas, if dequeue drops expired > packets then I can get through in 2 sec. Nice example :) And it also shown that you want to drop at both enqueue & dequeue. At enqueue because there is much higher rate of flood enqueues which will keep your sfq full until next dequeue (which drains all oldies). OTOH only after some time the packet will be old. So that checking too often will not allow to drop anything ... Probably testing is only way to go .. devik
