|
On Fri, 17 Mar 2000, Julian Anastasov wrote:
>
> I have thought about something like this:
>
> if (rate) {
> if (!--counter) {
> counter = rate;
> drop packet
> }
> }
> accept this packet
>
> sltimer_handler() {
> counter = rate = the_big_formula
> }
>
> Currently, the formula is not complex and can be put
> in the packet handler. But as in above example we can evaluate the
> rate in the time handler too, as in the LVS 0.9.[89]. We can use
> rate=0 in normal situations and to put a free memory as value
> for the rate after some checks, of course.
>
> So, if we decide to drop packets before forwarding them,
> we can use such simple drop mechanism. Rate means: "drop 1/rate
> packets". If the rate is evaluated in the time handler it is valid
> for one second. rate=1 is total block. counter and rate are global
> for all kind of the entries: TCP/UDP
>
Yeah, it could work, we would need design a good the_big_formula.
Before I implemented randomly scanning the table to drop syn entries, I
thought that it is very much more likely to pick stale one
(syn-flooding) than a live one. Normal connection might have more chances
to connect the services. Actually, we need do deep investigation on this
issue.
Maybe we can combine these two methods in the system too. ;-)
Thanks,
Wensong
|
