Re: ICMP handling in Linux
Hello, Henrique de Moraes Holschuh a écrit : Easy depriorizing is possible by outright dropping incoming ICMP packets in the iptables layer, before it is processed by the IP stack. iptables is not before the IP stack, it is a part of it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f894fdd.6010...@plouf.fr.eu.org
Re: ICMP handling in Linux
On Sat, 14 Apr 2012, Pascal Hambourg wrote: Henrique de Moraes Holschuh a écrit : Easy depriorizing is possible by outright dropping incoming ICMP packets in the iptables layer, before it is processed by the IP stack. iptables is not before the IP stack, it is a part of it. I suppose you're correct, since it is the IPv4-specific part of netfilter, and it does hook into several places of the IP stack, and it knows IPv4. I should probably have written it as drop it in the RAW table, which happens very early in the packet's processing by the IP stack. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120414104211.ga22...@khazad-dum.debian.net
ICMP handling in Linux
It's a well known fact that even most(with exceptions like ASR1K) of the high-end Cisco or Juniper routers handle ICMP traffic in routing engines not in ASIC's which means that they share the CPU time with other processes. How prioritized is ICMP handling in modern Linux 2.6 and newer kernels? Is it possible to prioritize ICMP handling in kernel? regards, martin -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cajx5yvg0rsuyi-walzvc2zpezk7+5xzb7qnradesyxbt6ze...@mail.gmail.com
Re: ICMP handling in Linux
On Tue, 10 Apr 2012, Martin T wrote: It's a well known fact that even most(with exceptions like ASR1K) of the high-end Cisco or Juniper routers handle ICMP traffic in routing engines not in ASIC's which means that they share the CPU time with other processes. How prioritized is ICMP handling in modern Linux 2.6 and newer kernels? Is it possible to prioritize ICMP handling in kernel? AFAIK, it has the same priority of every other packet that makes it to the IP stack. Easy depriorizing is possible by outright dropping incoming ICMP packets in the iptables layer, before it is processed by the IP stack. I suppose advanced NICs might be able to use receiver-side flow-steering to priorize or depriorize ICMP packets before delivering them to the driver, or you could steer them all to a particular core. I fear you will probably need to ask this question in the netdev ML if you want a better answer. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120411001020.gb7...@khazad-dum.debian.net
Re: ICMP handling in Linux
On Tue, 2012-04-10 at 21:10 -0300, Henrique de Moraes Holschuh wrote: On Tue, 10 Apr 2012, Martin T wrote: It's a well known fact that even most(with exceptions like ASR1K) of the high-end Cisco or Juniper routers handle ICMP traffic in routing engines not in ASIC's which means that they share the CPU time with other processes. How prioritized is ICMP handling in modern Linux 2.6 and newer kernels? Is it possible to prioritize ICMP handling in kernel? AFAIK, it has the same priority of every other packet that makes it to the IP stack. Easy depriorizing is possible by outright dropping incoming ICMP packets in the iptables layer, before it is processed by the IP stack. I suppose advanced NICs might be able to use receiver-side flow-steering to priorize or depriorize ICMP packets before delivering them to the driver, or you could steer them all to a particular core. I fear you will probably need to ask this question in the netdev ML if you want a better answer. Setting up a qdisc via the tc utility would be a more controlled way than simply drop or not drop. Alas, it is not one of the simpler things to do in Linux - John -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1334103390.2012.32.ca...@denise.theartistscloset.com
Re: ICMP handling in Linux
On 11/04/12 02:07, Martin T wrote: It's a well known fact that even most(with exceptions like ASR1K) of the high-end Cisco or Juniper routers handle ICMP traffic in routing engines not in ASIC's Debian is software - so I can be relied on to never use ASICs ;-p snipped How prioritized is ICMP handling in modern Linux 2.6 and newer kernels? ICMP has the same priority as other protocols (by default). Is it possible to prioritize ICMP handling in kernel? Sure - assign a lower priority policy to other protocols. regards, martin If you want more detailed answer to specific situations debian-firewall might be a better list to ask. Note that Debian also provides a kfreeBSD kernel and HURD servers. Kind regards -- Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding answers to questions about Debian:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f84ce87.3040...@gmail.com
Re: ICMP handling in Linux
On Tue, 10 Apr 2012, John A. Sullivan III wrote: On Tue, 2012-04-10 at 21:10 -0300, Henrique de Moraes Holschuh wrote: On Tue, 10 Apr 2012, Martin T wrote: It's a well known fact that even most(with exceptions like ASR1K) of the high-end Cisco or Juniper routers handle ICMP traffic in routing engines not in ASIC's which means that they share the CPU time with other processes. How prioritized is ICMP handling in modern Linux 2.6 and newer kernels? Is it possible to prioritize ICMP handling in kernel? AFAIK, it has the same priority of every other packet that makes it to the IP stack. Easy depriorizing is possible by outright dropping incoming ICMP packets in the iptables layer, before it is processed by the IP stack. I suppose advanced NICs might be able to use receiver-side flow-steering to priorize or depriorize ICMP packets before delivering them to the driver, or you could steer them all to a particular core. I fear you will probably need to ask this question in the netdev ML if you want a better answer. Setting up a qdisc via the tc utility would be a more controlled way than simply drop or not drop. Alas, it is not one of the simpler things to do in Linux - John I suppose so, but that would require the use of ifb devices. That is likely more expensive than handling the ICMP in the first place (with kernel ICMP reply rate-limiters configured, obviously), so it might not work as well as one would like it to. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120411004249.gd7...@khazad-dum.debian.net
Re: ICMP handling in Linux
On Tue, 2012-04-10 at 21:42 -0300, Henrique de Moraes Holschuh wrote: On Tue, 10 Apr 2012, John A. Sullivan III wrote: On Tue, 2012-04-10 at 21:10 -0300, Henrique de Moraes Holschuh wrote: On Tue, 10 Apr 2012, Martin T wrote: It's a well known fact that even most(with exceptions like ASR1K) of the high-end Cisco or Juniper routers handle ICMP traffic in routing engines not in ASIC's which means that they share the CPU time with other processes. How prioritized is ICMP handling in modern Linux 2.6 and newer kernels? Is it possible to prioritize ICMP handling in kernel? AFAIK, it has the same priority of every other packet that makes it to the IP stack. Easy depriorizing is possible by outright dropping incoming ICMP packets in the iptables layer, before it is processed by the IP stack. I suppose advanced NICs might be able to use receiver-side flow-steering to priorize or depriorize ICMP packets before delivering them to the driver, or you could steer them all to a particular core. I fear you will probably need to ask this question in the netdev ML if you want a better answer. Setting up a qdisc via the tc utility would be a more controlled way than simply drop or not drop. Alas, it is not one of the simpler things to do in Linux - John I suppose so, but that would require the use of ifb devices. That is likely more expensive than handling the ICMP in the first place (with kernel ICMP reply rate-limiters configured, obviously), so it might not work as well as one would like it to. snip I did not read the original post but I'm not sure why it would require IFB interfaces. I have found I only use them if I need to shape rather than police ingress traffic or if I need to do identical traffic shaping on multiple interfaces. Then again, I have not experience configuring kernel ICMP reply rate limiters - John -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1334108474.2012.34.ca...@denise.theartistscloset.com
