Re: [Cake] conntrack lookup continuation

2017-02-03 Thread John Sager 
No problem. The distro I use for my firewall (LEAF-bering) doesn't support
cake yet, though I could build the module & cake-aware tc with its
toolchain, so I'll continue with HTB+fq_codel & keep an eye on this list.

John

On 03/02/17 19:30, Jonathan Morton wrote:
> 
>> On 3 Feb, 2017, at 21:01, John Sager  wrote:
>>
>> As cake uses diffserv to classify, it would be good to carry dscp in the
>> conntrack & transfer it to incoming packets with an 'action' on the ingress
>> filter, but carrying dscp specifically in the conntrack record would be
>> quite a significant change to other parts of linux. Hence the use of fwmark
>> and the conntrack mark field, which already exist.
> 
> Yes, this is what I thought you meant.
> 
> As fwmark just sets “a number” on the conntrack record, there’s no reason in 
> principle not to have that number be a DSCP (or some reasonably transformed 
> representation of one).  The trick is then for cake to extract that number 
> from the conntrack record (having looked it up), and if it looks valid, to 
> use it as the packet’s DSCP instead of the one on the packet itself.
> 
> In principle, that should not be difficult.  For the moment however, I’ve got 
> my hands full with writing a report on performance tests I’ve been running, 
> and then getting reacquainted with some code changes that happened while I 
> was looking elsewhere.
> 
>  - Jonathan Morton
> 
___
Cake mailing list
Cake@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cake

Re: [Cake] conntrack lookup continuation

2017-02-03 Thread Jonathan Morton 

> On 3 Feb, 2017, at 21:01, John Sager  wrote:
> 
> As cake uses diffserv to classify, it would be good to carry dscp in the
> conntrack & transfer it to incoming packets with an 'action' on the ingress
> filter, but carrying dscp specifically in the conntrack record would be
> quite a significant change to other parts of linux. Hence the use of fwmark
> and the conntrack mark field, which already exist.

Yes, this is what I thought you meant.

As fwmark just sets “a number” on the conntrack record, there’s no reason in 
principle not to have that number be a DSCP (or some reasonably transformed 
representation of one).  The trick is then for cake to extract that number from 
the conntrack record (having looked it up), and if it looks valid, to use it as 
the packet’s DSCP instead of the one on the packet itself.

In principle, that should not be difficult.  For the moment however, I’ve got 
my hands full with writing a report on performance tests I’ve been running, and 
then getting reacquainted with some code changes that happened while I was 
looking elsewhere.

 - Jonathan Morton

___
Cake mailing list
Cake@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cake

Re: [Cake] conntrack lookup continuation

2017-02-03 Thread John Sager 


On 03/02/17 17:08, Dave Taht wrote:
> On Fri, Feb 3, 2017 at 8:42 AM, John Sager  wrote:
>> I would support this. It would allow cake to behave pretty much as I have
>> HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my
>> border router/firewall. I fwmark egress traffic based on various criteria
>> using ip[6]tables & transfer the marks to conntrack where they are recovered
>> on ingress to classify inbound responses to outbound requests.
> 
> I'm not huge on using fwmarks. Is this because you cannot re-mark
> w/dscp consistently via conntrack?
> 

I've got 6 categories of traffic, which map onto 6 fwmarks which are used by
the HTB filters. I could easily use iptables to map those onto dscp marks
for cake to use on egress, but I still need the fwmarks (transferred to
conntrack) to classify ingress traffic, as it's unlikely that I would see
useful dscp marks from my ISP.

>>
>> It would also classify inbound traffic better if cake could use fwmarks in
>> that way as diffserv is currently pretty much useless for that purpose with
>> most ISPs.
> 
> My understanding of this is that cake runs before iptables does on
> inbound. (?) so fw marks won't help here. But it's probable I'm wrong.

That's partly true. All the QoS stuff on the ingress side - both ppp0 (in my
case) and ifb0 - happens before it ever hits a netfilter hook. However my
ingress filter uses 'action connmark' to copy the conntrack mark to the
packet fwmark before redirecting to ifb0 so that the HTB filters can operate
on that.

As cake uses diffserv to classify, it would be good to carry dscp in the
conntrack & transfer it to incoming packets with an 'action' on the ingress
filter, but carrying dscp specifically in the conntrack record would be
quite a significant change to other parts of linux. Hence the use of fwmark
and the conntrack mark field, which already exist.

John
___
Cake mailing list
Cake@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cake

Re: [Cake] conntrack lookup continuation

2017-02-03 Thread Dave Taht 
On Fri, Feb 3, 2017 at 8:42 AM, John Sager  wrote:
> I would support this. It would allow cake to behave pretty much as I have
> HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my
> border router/firewall. I fwmark egress traffic based on various criteria
> using ip[6]tables & transfer the marks to conntrack where they are recovered
> on ingress to classify inbound responses to outbound requests.

I'm not huge on using fwmarks. Is this because you cannot re-mark
w/dscp consistently via conntrack?

>
> It would also classify inbound traffic better if cake could use fwmarks in
> that way as diffserv is currently pretty much useless for that purpose with
> most ISPs.

My understanding of this is that cake runs before iptables does on
inbound. (?) so fw marks won't help here. But it's probable I'm wrong.

> John
>
> On 31/01/17 21:14, chromatix99 at gmail.com (Jonathan Morton) wrote:
>>> On 31 Jan, 2017, at 16:49, Felix Resch  wrote:
>>>
>>> Since we now already do the conntrack-lookup for the nat keyword, would it 
>>> be
>>> expensive to implement a kind of internal conntrack-mark-and-restore by 
>>> cake-tin?
>>>
>>> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a 
>>> fwmark and return traffic is put in the corresponding tin/bin on the 
>>> ingress cake.
>>
>> That's an interesting idea.  At this point I don't know how easy it is to 
>> implement, though.
>>
>> Certainly we need to clean up some other things first.
>>
>>  - Jonathan Morton
>>
>>
> ___
> Cake mailing list
> Cake@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cake



-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org
___
Cake mailing list
Cake@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cake

Re: [Cake] conntrack lookup continuation

2017-01-31 Thread Jonathan Morton 

> On 31 Jan, 2017, at 16:49, Felix Resch  wrote:
> 
> Since we now already do the conntrack-lookup for the nat keyword, would it be 
> expensive to implement a kind of internal conntrack-mark-and-restore by 
> cake-tin?
> 
> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a 
> fwmark and return traffic is put in the corresponding tin/bin on the ingress 
> cake.

That’s an interesting idea.  At this point I don’t know how easy it is to 
implement, though.

Certainly we need to clean up some other things first.

 - Jonathan Morton

___
Cake mailing list
Cake@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cake