After some research into the current solutions on Solaris, it doesn't appear that there's a current solution, perhaps everyone here would know better. Let me lay out the problem so that it's a little more clear.
As far as I can tell, most currently available, easy to use solutions use queuing for traffic shaping (netfilter in linux and what squeues in S10 appear to be as well as the solution that squid appears to perform). Unfortunately, it's pretty tough to actually do inbound traffic shaping with this kind of a tactic because the bits already arrived. You can drop packets or queue up the incoming stuff but that either causes massive retransmission for a negative effect on connection quality or gives you very spiky bandwidth because the connection is going all over the place. Where queues do seem to work is on outbound traffic. In that case, you have full control of what goes out and can queue it up, making sure it works. Now, ideally, I'd like to limit incoming connections bandwidth on a per-connection and per-port basis (Crossbow, which is an awsome project, only appears to do something with squeues on a local IP and port basis). A use case would be if someone using a service, say HTTP does something "bad" such as start a DOS, you can limit that bandwidth down to almost nothing so that they don't retry the connection, think that the DOS is working correctly and potentially if you've got a false positive, the client can still use the service if at a severely reduced level. Pure packet dropping or queuing wouldn't work in this instance, I believe, because the bandwidth would get reclaimed to some level but you'd loose a lot still and in the case of a false positive, the service would be completely unusable based on how many dropped packets would be occurring. Therefore, after looking through my networking books again here, I believe the solution to this problem is fixed by reaching down into the guts of TCP itself. Because TCP has to handle limited connections all the time, the protocol has some allowances for finding the optimal bandwidth of a connection a reshaping the incoming packets so that it's filled correctly. It does this through the TCP window, the MSS header option and TCP congestion avoidance. From everything I've been able to find about the network stack in S10, there aren't any hooks for me to be able to edit these settings on the fly at a per-connection level. So, the first obvious question, is this possible at all? And/or has someone already done something like this? Assuming that it's not been done before, where can I find information on how to get it done? Such as, would this need to be a network driver wrapper or just a simple kernel module that can be loaded when it's needed? I'm sure that there's information out there on where to begin but I've sure had a hard time finding it .... any pointers would be greatly appreciated. _______________________________________________ networking-discuss mailing list [email protected]
