lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 14 Dec 2011 20:36:34 +0100
From:	Paweł Staszewski <pstaszewski@...are.pl>
To:	"John A. Sullivan III" <jsullivan@...nsourcedevel.com>
CC:	Eric Dumazet <eric.dumazet@...il.com>, netdev@...r.kernel.org
Subject: Re: IFB and bridges

W dniu 2011-12-12 01:42, John A. Sullivan III pisze:
>
> ----- Original Message -----
>> From: "Eric Dumazet"<eric.dumazet@...il.com>
>> To: "John A. Sullivan III"<jsullivan@...nsourcedevel.com>
>> Cc: netdev@...r.kernel.org
>> Sent: Sunday, December 11, 2011 5:00:59 PM
>> Subject: Re: IFB and bridges
>>
>> Le dimanche 11 décembre 2011 à 17:38 -0500, John A. Sullivan III a>
>>> I know IFB is often used for ingress but I wasn't really thinking
>>> of
>>> ingress filtering.  Let's say I have a 12 port Linux switch.  If
>>> any
>>> of the ports become backlogged, I want them to prioritize time
>>> sensitive traffic so I implement traffic shaping but I don't want
>>> to
>>> have to define my qdiscs, classes, and filters 12 times over if
>>> they
>>> are all the same.  So I would direct each port to an IFB (not sure
>>> if
>>> that's intolerable overhead), have a single set of qdiscs, classes,
>>> and filters, and, once those are applied, the packet arrives back
>>> on
>>> the same interface and proceeds assuming if has not been dropped or
>>> delayed. - John
>> Really ? How are you going to shape a single IFB device, if you
>> really
>> have independant 12 ports. (Its a switch, not a hub after all)
>>
>> A script can define your qdiscs/classes/filters hundred times, or one
>> thousand times, and writing such a script is far more easier than
>> setup
>> IFB.
>>
>>
>>
>>
> <grin>  That's why I thought I'd ask the experts :) - John
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
Also directing all traffic from all 12 ports is not good idea :)
It is performance killer

IFB can't handle too much pps

Also - You can't have too many tc filters/classes on one single IFB 
device because this is also performance killer.



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ