18.5 Ingress Policing
The file net/sched/sch_ingress.c implements a queuing discipline designed for ingress policing. Its structure is similar to that of other queuing disciplines, and the exported functions are similar to the functions described in the previous section.However, rather than buffering packets, this queuing discipline classifies packets to decide whether a packet will be accepted or discarded. This means that the queuing discipline actually assumes a firewall or Netfilter functionality. This functionality also reflects in the return values of the enqueue() function, which are converted to Netfilter return values, as shown in the following excerpt from the function ingress_enqueue() (net/sched/sch_ingress.c):
case TC_POLICE_SHOT:
result = NF_DROP;
break;
case TC_POLICE_RECLASSIFY: /* DSCP remarking here ? */
case TC_POLICE_OK:
case TC_POLICE_UNSPEC:
default:
result = NF_ACCEPT;
break;
First, the function register_qdisc() registers the functions of the queuing discipline with the network device. Subsequently, the function nf_register_hook() hooks them into the hook NF_IP_PRE_ROUTING.Next, additional filters can be appended to this particular queuing discipline. These filters can access functions from net/sched/police.c to check on whether a data stream complies with a token bucket. |
لطفا منتظر باشید ...
