forming queues in netfilter

Jeff Miller jeffm@dynamite.com.au
Tue, 30 Nov 1999 14:53:53 +1100


I'm attempting to write a leak bucket module for rate (bps) control of
packets. It works fine until I try ftp which tries to use mtu sized
packets (1500 bytes in this case) then the total through put drops
dramatically. From reading things on the web I'm lead to believe this is
due to tcp congestion control. correct??

To get around this I was think of using queues within a netfilter module.
I know there are other methods available in the kernel already but I need
to do this for may subnets and as I'm already using netfilter for the
firewalling it would make maintanence mach easier.
anyway, in psuedo code

ipt_bytes_match() {
	tokens += amount
	if (tokens > capacity) tokens = capacity
	if (len > tokens) {
		tokens -= len
		transmit_packet
	}
	else queue_packet
}

periodic() {
	tokens += amount
	if (tokens > capacity) tokens = capacity
	if (packet_in_queue and (len > tokens)) {
		dequeue_packet
		tokens -= len
		inject_packet
	}
}

1) Is there anyway to tell netfilter: match succeeded and packet was
   eaten? eaten as a target?
2) How to inject the packet?


Alternates and other ideas welcome. I'll also post my code if anyone is
interested in seeing such basic code.

Jeff.