Re: [Cake] conntrack lookup continuation
On 02/04/2017 02:01 AM, John Sager wrote: I've got 6 categories of traffic, which map onto 6 fwmarks which are used by the HTB filters. I could easily use iptables to map those onto dscp marks for cake to use on egress, but I still need the fwmarks (transferred to conntrack) to classify ingress traffic, as it's unlikely that I would see useful dscp marks from my ISP. Maybe you try IMQ? http://www.linuximq.net/ ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] conntrack lookup continuation
No problem. The distro I use for my firewall (LEAF-bering) doesn't support cake yet, though I could build the module & cake-aware tc with its toolchain, so I'll continue with HTB+fq_codel & keep an eye on this list. John On 03/02/17 19:30, Jonathan Morton wrote: > >> On 3 Feb, 2017, at 21:01, John Sager wrote: >> >> As cake uses diffserv to classify, it would be good to carry dscp in the >> conntrack & transfer it to incoming packets with an 'action' on the ingress >> filter, but carrying dscp specifically in the conntrack record would be >> quite a significant change to other parts of linux. Hence the use of fwmark >> and the conntrack mark field, which already exist. > > Yes, this is what I thought you meant. > > As fwmark just sets “a number” on the conntrack record, there’s no reason in > principle not to have that number be a DSCP (or some reasonably transformed > representation of one). The trick is then for cake to extract that number > from the conntrack record (having looked it up), and if it looks valid, to > use it as the packet’s DSCP instead of the one on the packet itself. > > In principle, that should not be difficult. For the moment however, I’ve got > my hands full with writing a report on performance tests I’ve been running, > and then getting reacquainted with some code changes that happened while I > was looking elsewhere. > > - Jonathan Morton > ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] conntrack lookup continuation
> On 3 Feb, 2017, at 21:01, John Sager wrote: > > As cake uses diffserv to classify, it would be good to carry dscp in the > conntrack & transfer it to incoming packets with an 'action' on the ingress > filter, but carrying dscp specifically in the conntrack record would be > quite a significant change to other parts of linux. Hence the use of fwmark > and the conntrack mark field, which already exist. Yes, this is what I thought you meant. As fwmark just sets “a number” on the conntrack record, there’s no reason in principle not to have that number be a DSCP (or some reasonably transformed representation of one). The trick is then for cake to extract that number from the conntrack record (having looked it up), and if it looks valid, to use it as the packet’s DSCP instead of the one on the packet itself. In principle, that should not be difficult. For the moment however, I’ve got my hands full with writing a report on performance tests I’ve been running, and then getting reacquainted with some code changes that happened while I was looking elsewhere. - Jonathan Morton ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] conntrack lookup continuation
On 03/02/17 17:08, Dave Taht wrote: > On Fri, Feb 3, 2017 at 8:42 AM, John Sager wrote: >> I would support this. It would allow cake to behave pretty much as I have >> HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my >> border router/firewall. I fwmark egress traffic based on various criteria >> using ip[6]tables & transfer the marks to conntrack where they are recovered >> on ingress to classify inbound responses to outbound requests. > > I'm not huge on using fwmarks. Is this because you cannot re-mark > w/dscp consistently via conntrack? > I've got 6 categories of traffic, which map onto 6 fwmarks which are used by the HTB filters. I could easily use iptables to map those onto dscp marks for cake to use on egress, but I still need the fwmarks (transferred to conntrack) to classify ingress traffic, as it's unlikely that I would see useful dscp marks from my ISP. >> >> It would also classify inbound traffic better if cake could use fwmarks in >> that way as diffserv is currently pretty much useless for that purpose with >> most ISPs. > > My understanding of this is that cake runs before iptables does on > inbound. (?) so fw marks won't help here. But it's probable I'm wrong. That's partly true. All the QoS stuff on the ingress side - both ppp0 (in my case) and ifb0 - happens before it ever hits a netfilter hook. However my ingress filter uses 'action connmark' to copy the conntrack mark to the packet fwmark before redirecting to ifb0 so that the HTB filters can operate on that. As cake uses diffserv to classify, it would be good to carry dscp in the conntrack & transfer it to incoming packets with an 'action' on the ingress filter, but carrying dscp specifically in the conntrack record would be quite a significant change to other parts of linux. Hence the use of fwmark and the conntrack mark field, which already exist. John ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] conntrack lookup continuation
On Fri, Feb 3, 2017 at 8:42 AM, John Sager wrote: > I would support this. It would allow cake to behave pretty much as I have > HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my > border router/firewall. I fwmark egress traffic based on various criteria > using ip[6]tables & transfer the marks to conntrack where they are recovered > on ingress to classify inbound responses to outbound requests. I'm not huge on using fwmarks. Is this because you cannot re-mark w/dscp consistently via conntrack? > > It would also classify inbound traffic better if cake could use fwmarks in > that way as diffserv is currently pretty much useless for that purpose with > most ISPs. My understanding of this is that cake runs before iptables does on inbound. (?) so fw marks won't help here. But it's probable I'm wrong. > John > > On 31/01/17 21:14, chromatix99 at gmail.com (Jonathan Morton) wrote: >>> On 31 Jan, 2017, at 16:49, Felix Resch wrote: >>> >>> Since we now already do the conntrack-lookup for the nat keyword, would it >>> be >>> expensive to implement a kind of internal conntrack-mark-and-restore by >>> cake-tin? >>> >>> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a >>> fwmark and return traffic is put in the corresponding tin/bin on the >>> ingress cake. >> >> That's an interesting idea. At this point I don't know how easy it is to >> implement, though. >> >> Certainly we need to clean up some other things first. >> >> - Jonathan Morton >> >> > ___ > Cake mailing list > Cake@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cake -- Dave Täht Let's go make home routers and wifi faster! With better software! http://blog.cerowrt.org ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
Re: [Cake] conntrack lookup continuation
I would support this. It would allow cake to behave pretty much as I have HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my border router/firewall. I fwmark egress traffic based on various criteria using ip[6]tables & transfer the marks to conntrack where they are recovered on ingress to classify inbound responses to outbound requests. It would also classify inbound traffic better if cake could use fwmarks in that way as diffserv is currently pretty much useless for that purpose with most ISPs. John On 31/01/17 21:14, chromatix99 at gmail.com (Jonathan Morton) wrote: >> On 31 Jan, 2017, at 16:49, Felix Resch wrote: >> >> Since we now already do the conntrack-lookup for the nat keyword, would it >> be >> expensive to implement a kind of internal conntrack-mark-and-restore by >> cake-tin? >> >> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a >> fwmark and return traffic is put in the corresponding tin/bin on the ingress >> cake. > > That's an interesting idea. At this point I don't know how easy it is to > implement, though. > > Certainly we need to clean up some other things first. > > - Jonathan Morton > > ___ Cake mailing list Cake@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cake
