forming queues in netfilter

Jeff Miller
Tue, 30 Nov 1999 14:53:53 +1100

I'm attempting to write a leak bucket module for rate (bps) control of
packets. It works fine until I try ftp which tries to use mtu sized
packets (1500 bytes in this case) then the total through put drops
dramatically. From reading things on the web I'm lead to believe this is
due to tcp congestion control. correct??

To get around this I was think of using queues within a netfilter module.
I know there are other methods available in the kernel already but I need
to do this for may subnets and as I'm already using netfilter for the
firewalling it would make maintanence mach easier.
anyway, in psuedo code

ipt_bytes_match() {
	tokens += amount
	if (tokens > capacity) tokens = capacity
	if (len > tokens) {
		tokens -= len
	else queue_packet

periodic() {
	tokens += amount
	if (tokens > capacity) tokens = capacity
	if (packet_in_queue and (len > tokens)) {
		tokens -= len

1) Is there anyway to tell netfilter: match succeeded and packet was
   eaten? eaten as a target?
2) How to inject the packet?

Alternates and other ideas welcome. I'll also post my code if anyone is
interested in seeing such basic code.