Re: [Linux Diffserv] Re: [PATCH] Inbound Connection Control mechanism: Prioritized Accept Queue

From: Sridhar Samudrala (
Date: Mon Jul 30 2001 - 17:08:34 EST

Our patch can be used along with SYN policing to prioritize incoming
connection requests on a socket. SYN policing can be used to limit
the rate of a particular class, but it cannot be used to prioritize a
set of classes. Priorized Accept Queues(PAQ) provides a way to classify
incoming connections on a socket into a set of upto 8 classes and uses
the priority of a connection to insert them into the accept queue. By
default a connection is added at the end of the accept queue. With PAQ,
the connection is inserted at the end of the corresponding class within
the accept queue. This will improve the latency and throughput for higher
priority connections.

We found that there are 2 ways to do SYN policing in linux. The first
method is using the ingress policer which may be more effective as it
uses dual token bucket. The second way is to use iptables. It is simpler
to configure via iptables as the rate limit can be specified in
connections/sec as opposed to bytes/sec with ingress. This may not be
much of an issue if all the SYN packets are of fixed size (can change with

Our patch does not in any way replace the functionality provided with
SYN policing. It tries to extend the inbound qos functionality by adding
prioritization of incoming connections that are going to be accepted. is running linux 2.2.19. I guess linux should by
default ignore ECN bits if it is not enabled. Do you think this ECN problem
has something to do with the server or some router on the way the server?

On Mon, 30 Jul 2001, jamal wrote:
> For startes, can you fix
> so it respects ECN?
> In regards to policing SYNs i am not sure what additional
> value you provide to the mechanisms currently available under
> 2.4 ingress traffic policing; the simplest example we provided
> was on SYN policing albeit for DoS prevention.
> Since i refuse to turn off ECN, i cant access your web page
> You can use the skbmark to prioritize based on policies
> installed on the ingress and drop early ...
> Incase you are using this scheme already you should stick to the
> ingress policer which uses a dual Token Bucket not what netfilter uses..
> cheers,
> jamal
> On Mon, 30 Jul 2001, Douglas M Freimuth wrote:
> >
> >
> > On Fri, 27 Jul 2001,Sridhar wrote:
> >
> > >The documentation on HOWTO use this patch and the test results which show
> > an
> > >improvement in connection rate for higher priority classes can be found at
> > our
> > >project website.
> > >
> >
> > For additional detail regarding the Prioritized Accept Queue (PAQ)
> > patch please read
> > "Kernel Mechanisms for Service Differentiation in Overloaded Web Servers"
> > originally published in
> > the 2001 Proceedings of the USENIX Annual Technical Conference
> > (USENIX Association, 2001), pp. 189-202. at the following USENIX site:
> >
> >
> >
> > For USENIX nonmembers later this week will "reprint" this USENIX paper on
> > our project
> > website.
> >
> >
> > --Doug
> > =================================================================
> > Doug Freimuth
> > IBM TJ Watson Research Center
> > Office 914-784-6221
> >
> >
> >
> > _______________________________________________
> > Diffserv-general mailing list
> >
> >
> >

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Tue Jul 31 2001 - 21:00:47 EST