On Sun, Apr 01, 2018 at 11:29:55AM +0100, Stuart Henderson wrote:
> On 2018/03/31 16:10, Job Snijders wrote:
> > TL;DR: I propose to update the defaults to use DSCP "AF21" (Low
> > Latency Data) for interactive session traffic, and CS1 ("Lower
> > Effort") for non-interactive traffic. This applies to both IPv4 and
> > IPv6.
>
> I think this is the right thing to do, but needs handling in
> conjunction with changes to PF, which has dual queue-setting
> (IPTOS_LOWDELAY packets go in one queue along with empty TCP ACKs,
> other packets can go in another lower priority queue).
>
> Since firewalls are often updated less often than hosts I think it
> would be better if the PF side was done first with some time to give
> people chance to update, though it doesn't need to be too long (they
> can set qos in sshd_config if they want to retain the old setting).
>
> A few other pieces use IPTOS_LOWDELAY (pfsync, carp, vxlan, etherip)
> which I think would want switching too.
What we're looking at is some kind of "migrate TOS to DSCP" project.
There is a few tens of files where TOS values need to be examined and an
appropiate DSCP value choosen. I'm not sure I'd go as far as blindly
replacing IPTOS_LOWDELAY with IPTOS_DSCP_AF21, but perhaps as a
transition that is what is needed in some places.
We can start by treating IPTOS_LOWDELAY and IPTOS_DSCP_AF21 similarly in
pf (see untested patch below), and then accept patches that migrate from
TOS to DSCP?
As far as I understand, out-of-the-box pf doesn't do anything with TOS
values, so users wlil have to have explicitly configured something on
the firewall or clients anyhow?
Kind regards,
Job
share/man/man5/pf.conf.5 | 12 +++++++++---
sys/net/pf.c | 8 +++++---
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git share/man/man5/pf.conf.5 share/man/man5/pf.conf.5
index 13e23423daa..f5a65e1b0d4 100644
--- share/man/man5/pf.conf.5
+++ share/man/man5/pf.conf.5
@@ -679,7 +679,9 @@ interface, the queueing priority will also be written as
the priority
code point in the 802.1Q VLAN header.
If two priorities are given, TCP ACKs with no data payload and packets
which have a TOS of
-.Cm lowdelay
+.Cm lowdelay ,
+or DSCP value
+.Cm af21 ,
will be assigned to the second one.
Packets with a higher priority number are processed first,
and packets with the same priority are processed
@@ -702,7 +704,9 @@ section.
Packets matching this rule will be assigned to the specified
.Ar queue .
If two queues are given, packets which have a TOS of
-.Cm lowdelay
+.Cm lowdelay ,
+or DSCP value
+.Cm af21 ,
and TCP ACKs with no data payload will be assigned to the second one.
See
.Sx QUEUEING
@@ -1608,7 +1612,9 @@ Normally only one
.Ar queue
is specified; when a second one is specified it will instead be used for
packets which have a TOS of
-.Cm lowdelay
+.Cm lowdelay ,
+or DSCP value
+.Cm af21 ,
and for TCP ACKs with no data payload.
.Pp
To continue the previous example, the examples below would specify the
diff --git sys/net/pf.c sys/net/pf.c
index d841f834af1..aac20603a01 100644
--- sys/net/pf.c
+++ sys/net/pf.c
@@ -2804,7 +2804,7 @@ pf_build_tcp(const struct pf_rule *r, sa_family_t af,
h->ip_len = htons(tlen);
h->ip_v = 4;
h->ip_hl = sizeof(*h) >> 2;
- h->ip_tos = IPTOS_LOWDELAY;
+ h->ip_tos = IPTOS_DSCP_AF21;
h->ip_len = htons(len);
h->ip_off = htons(ip_mtudisc ? IP_DF : 0);
h->ip_ttl = ttl ? ttl : ip_defttl;
@@ -7020,7 +7020,8 @@ done:
pf_scrub(pd.m, s->state_flags, pd.af, s->min_ttl,
s->set_tos);
pf_tag_packet(pd.m, s->tag, s->rtableid[pd.didx]);
- if (pqid || (pd.tos & IPTOS_LOWDELAY)) {
+ if (pqid || (pd.tos & IPTOS_LOWDELAY)
+ || (pd.tos & IPTOS_DSCP_AF21)) {
qid = s->pqid;
if (s->state_flags & PFSTATE_SETPRIO)
pd.m->m_pkthdr.pf.prio = s->set_prio[1];
@@ -7032,7 +7033,8 @@ done:
} else {
pf_scrub(pd.m, r->scrub_flags, pd.af, r->min_ttl,
r->set_tos);
- if (pqid || (pd.tos & IPTOS_LOWDELAY)) {
+ if (pqid || (pd.tos & IPTOS_LOWDELAY)
+ || (pd.tos & IPTOS_DSCP_AF21)) {
qid = r->pqid;
if (r->scrub_flags & PFSTATE_SETPRIO)
pd.m->m_pkthdr.pf.prio = r->set_prio[1];
