> > It is nerly FAQ. You can use Ingres qdisc to do it and attach > > policers here. > > Ah ok, I found the SYN flood example in the HOWTO. :) > But that seems to work by dropping packets rather than queueing them, > which is not so good if your bandwidth is very limited (modem dialup). You are right. I have tried to convince other QoS people about it (jamal, Werner ..) but they don't like the idea of incomming queuing. I agree with you but let me explain one thing. When you queue (and delay) packet believing that TCP protocol will slow down then you are in mistake. TCP will adapt to new RTT by enlarging MSS which will send you even more traffic. Then queue will overflow, packet will be dropped and TCP will backoff. So that it makes sense to do incoming queuing but for different reason. Almost all queuing disciplines NEED to know whether some flow is active. And this is tested by provision of non-empty queue. This is why you need some queue. Typicaly you will want shallow queue (5 packets f.e.) and definitely you WANT to drop packets (because this is way how TCP knows about congestion). Another trick is to delay packet and MANGLE MSS value in packets. But it is far from clean approach. > > It would be nice to be able to attach every qdisc to incoming interface > > but it is not possible. There is always problem - when packet already > > hitted your box why do you want to drop/delay it ? > > Because some of the traffic is for this box (doesn't go out) and I > don't want it to ``steal' all the bandwidth from traffic that is > forwarded through the box. Also, the traffic is mostly asymmetric, > lots of data coming in and only ACKs going out. You said "all the bandwidth". What does limit the bw ? Probably link between your box and ISP (e.g. modem), right ? Then the right way is to attach queues to ISP's outgoing interface. But you probably can't because you don't own the ISP machines. So that you have to use "hack" and queue at incoming interface. Where the paragraph I've written above holds. > > On your virtual-host note. I already did patch (called IMQ) which > > implements virtual inteface allowing to attach single qdisc to multiple > > outgoing devices. > > Could you post the URL for that? Look at luxik.cdi.cz/~devik/qos/ . You could hack netif_rx routine to queue at imq-like device too and then attach qdisc to it. Or use existing ingres qdisc and change it a bit to allow queuing. > > - only there is no time to do it. > > Hmm, lack of time is a universal problem me thinks... ;) yes it is ;) Send me $300 and I'll do it ;-))) devik
