2017. 12. 2 업데이트 로그

이번에는 TC(Trsffic Control)을 이용하여 들어오는 패킷에 대한 트래픽 제어를 시도했지만 실패했습니다. 여기(https://serverfault.com/questions/557573/incoming-ingress-traffic-shaping-on-linux-bw-is-lower-than-expected)에 따르면, 들어오는 패킷을 제어하는 것은 소방차의 호스에 구멍난 판자를 갖다 대는 것과 마찬가지이다라는 지문처럼 불가능에 가깝다는 것을 다시한번 느꼈습니다…

Trying to limit incoming bandwidth is basically trying to limit the flow of a firehose by holding up a board with a hole drilled in it: You will reduce the amount of water that hits you, but you’re still being hit by the firehose.

Carrying the firehose analogy further, if you need 100 gallons of water but limit the rate at which it’s getting to you (by holding up the board with the hole in it) you’re still bearing the brunt of the force of the firehose (traffic coming down your pipe), but not getting most of that water (because only what happens to go through the hole reaches you — The rest is dropped on the floor by your firewall board).

The effect of blocking all that water is that it takes longer to fill your 100 gallon bucket.
The effect of blocking TCP packets with a firewall is a little worse, because you trigger the remote host’s congetion control algorithm which in an ideal world makes it turn down the pressure on the firehose, sometimes substantially lower than you would like it to.

Incidentally this is also why a local firewall can’t save you from DoS attacks – you still have to deal with all the traffic, even if it’s just to make the decision to ignore it. A DoS attack is unlikely to honor congestion control procedures for obvious reasons.

다만, Outgoing Traffic에 대해서는 Control이 가능하여 이를 수행하였습니다(하지만 20Mbps Incoming/Outgoing Traffic Control이라는 목적은 결국 달성하지 못했군요)

2017/12/15 수정: tc의 ingress policing이라는게 있는 것 같습니다. 이걸로 무언가 해결할 수 있을 것 같지만 당장은 힘들겠군요(너무 복잡하네요. TC에 대해서 제대로 배운 뒤 나중에 시도해 봐야겠습니다.)