> assumed he meant ingress policing. Is there a significant reason to use
> shaping rather than policing? Yes, policing drops valid packets, but TCP will
> cause that anyway before backing off sending.
Sorry for the confusion. Yes, I meant shaping. Maybe policing is better than
nothing, definitely try it out and tell us :-)
But there is a reason to buffer packets instead of dropping them:
Dropping packets kills TCP throughput. Buffering packets gives TCP connections
a way to figure out the appropriate rate. Don't ask me to explain because I
don't understand much about it myself. Ask Google about TCP flow rate and
congestion control to get an idea.
If you use a hash bucket queue or similar for buffering, each connection
basically gets its own buffer, so that trickling traffic like SSH does not
get delayed in long buffers. And real-time traffic like phone calls prefer
10% dropped packets over 100% delayed packets so they need their own
mini-queues.
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment