On Thu, Jan 31, 2008 at 11:38:26AM +0000, Simon Hobson wrote:
> Inbound is a lot harder to do, and in this setup I'm not entirely
> certain what's required. You can only shape traffic that is leaving
> an interface - you CANNOT shape traffic that is coming in.
>
> ...
>
> So what I suspect you need to do is create an Intermediate Queing
> Device (http://lartc.org/howto/lartc.imq.html). You can then apply
> the traffic shaping to traffic 'exiting' via this interface, and
> after that it can be routed out of the real interfaces.
While this is technically possible, it doesn't address the real issue
with shaping inbound traffic: you can't actually do it.
Outbound traffic shaping works by holding the packets in a queue, and
sending them over the shaped link at the desired rate - this does
exactly what you expect, controlling the rate of traffic over the
link.
Inbound traffic shaping occurs *after* the traffic has already moved
over the link you're trying to shape. It is already too late to
control the rate at which these packets have moved. The mechanism used
to create the appearance of inbound traffic shaping is to selectively
degrade the reliability of the link: the inbound shaper drops packets
on the floor, and hopes that the remote system interprets this as the
link being overloaded, and slows down the rate at which it is sending
packets in the future. In the case where the remote system is a
well-behaved TCP application (such as a typical web server), this will
work. In the case where it's some game or VoIP system using its own
UDP-based traffic management, it probably won't. Against a hostile
system that is attacking you, it is completely worthless.
And never forget that inbound traffic shaping is always deliberately
making your link unreliable: packets will be lost. This can cause more
problems than it solves; it wrecks most VoIP systems, rather than
improving them. It does have applications, but it's far from
universally appropriate. When in doubt, don't do it, just do the
outbound part.
("Real" QoS means outbound shaping only, on both ends of the link -
that's your end, and your ISP, who will be charging extra for this
service.)
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
