Hello! > > Our patch can be used along with SYN policing to prioritize incoming > > connection requests on a socket. SYN policing can be used to limit > > the rate of a particular class, but it cannot be used to prioritize a > > No. Because you cant prove the packets are not spoofed. An attacker > becomes able to block classes Their idea is feedback from prioritized accept queue to syn-table. SYN floods just have no effect on this algoruthm. They do really clever thing. Look at the case with single queue: when apache is overloaded, accept queue grows. After some point it becomes meaningless to queue new SYNs, they will only clog syn-table, but we will not able to accept them in time. >From the other hand, we cannot just drop SYNs after accept queue overflows, because we will not have any connection ready, when apache overcomes its troubles. I have thought on this, but without big success. Typical accept latency is local and low, and typical syn-table latency is rtt. The processes of establishing and accepting work at different time scales and it is not quite trivial to get some useful smooth feedback from high frequency accept queue to low frequency syn-table. It is exactly the place where RED-like schemes should work well, by the way, but I did not try this unfortunately. Trying instead to get feedback from rate of SYNs, which was deemed to fail. Actually, 2.4 does some trick of this kind in the most primitive form. If their approach is really working, it can be extremally useful. Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
