> On 6 Mar 2019, at 15:21, Toke Høiland-Jørgensen <t...@redhat.com> wrote: > > Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> writes: > >> Before I go too far down this road (and to avoid the horror of >> actually trying to code it) here’s what I’m trying to achieve. >> >> >> act_connmark + dscp is designed to copy a DSCP code to/from conntrack mark. >> It uses 8 bits of the mark field, currently the most significant byte. >> >> Bits 31-26: DSCP >> Bit 25: Spare/Future >> Bit 24: Valid DSCP set >> >> The valid bit is set when the ‘getdscp’ function has written a DSCP >> value into the conntrack (& hence skb) mark. This allows us & other >> skb->mark/ct->mark applications (eg iptables, cake qdisc) to know that >> a DSCP value has been placed in the field. We cannot simply use a >> non-zero DSCP because zero is a valid DSCP. > > If someone installs the action, the field is supposedly always copied; > so why do we need another flag?
I’m trying to limit the number of times expensive iptables mangle rules have to
run.
Egress path:
Packet comes in (internal to device or forward)
iptables mangle - check fwmark ’set’ bit
if not set
jump to a possibly extensive set of rules that mangle the DSCP
else
do nothing
Packet arrives at act_connmark dscpset
looks at fwmark ’set’ bit
if not set
copy DSCP to fwmark & set the ’set’ bit.
else
do nothing
cake gets hold of it - selects a tin based on fwmark contained DSCP
Do the routine again for the next packet in the same connection and you’ll skip
the iptables mangle rules but still have cake classify based on the fwmark
stored DSCP. Without that flag you’ll have to run the iptables mangle rules
for every packet and update the fwmark too.
I personally think that cake should also have the fwmark/DSCP decode routine on
ingress. e.g.
Ingress
Packet arrives
act_connmark restores the fwmark
if fwmark/dscp set then optionally restores diffserv from fwmark
Cake looks for fwmark/dscp set bit
if true
use fwmark DSCP for tin select
else
use diffserv field as before
Cake possibly washes
Without the ’set’ bit, act_connmark has to restore the diffserv field on every
(ip) packet and cake possibly has to wash it out again.
The reality is that I enjoyed doing this in the cake codebase. I cannot say
the same for act_connmark in fact I hate it so much I’m stopping. The mental
effort for a non-programmer and more importantly a non-kernel programmer is
exhausting & I’m completely disillusioned. I really need to concentrate on the
job that means I can pay the mortgage, which isn’t bashing my head against the
kernel.
Anyway 4 files - 2 are patches against current cake & tc and a ‘my_layer_cake’
qos script that’s ‘fwmark/cake’ aware. 4th file is the start of a hack on
act_connmark. Do with them as you will, I never want to see the last one again.
0001-Automagically-use-update-DSCP-contained-in-fwmark.patch
Description: 0001-Automagically-use-update-DSCP-contained-in-fwmark.patch
0001-tc-cake-add-fwmark-getdscp-setdscp-options.patch
Description: 0001-tc-cake-add-fwmark-getdscp-setdscp-options.patch
my_layer_cake.qos
Description: my_layer_cake.qos
0001-start-of-act_connmark-hack.patch
Description: 0001-start-of-act_connmark-hack.patch
_______________________________________________ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
