Subject: Re: IFQ_MAXLEN: How large can it be?
To: Christoph Kaegi <>
From: Steven M. Bellovin <>
List: tech-net
Date: 11/15/2006 10:48:48
On Wed, 15 Nov 2006 08:57:01 +0100, Christoph Kaegi <> wrote:

> Hello list
> Thanks to the help of Manuel, I found the above mentionned
> setting which defines the size of the (per-adapter?) IP input
> queue.
> So I bumped this number on our quite busy firewall up from 256 
> to 1024 and later to 4096, but I still get 1'026'678 dropped 
> packets during 8 days uptime.
It's far from clear to me that this is a big help.  There's a fair amount
of literature that says that too-large router queues are bad, since they
end up having many retransmissions of the same data.  I suggest that you
look at other resources -- CPU and output line rate come to mind -- and
start playing with some of the fancier queueing options on your output
link.  (I wonder -- it would be nice to be able to do RED on things like
the IP input queue.  Is that possible?)

		--Steven M. Bellovin,