Re: [Cake] CAKE host isolation modes with NAT - two routers

[John Sager <john@sager.me.uk>]

[-- Attachment #1: Type: text/plain, Size: 1696 bytes --]

I did something similar some years ago in an attempt to divine video servers (eg YouTube) from their TLS certificates in Https connections to mark the connection appropriately. The nfqueue stuff worked beautifully, the cert stuff less so, so I abandoned it. With the latest TLS version the cert stuff is no longer visible anyway.

There is a Python binding to libnetfilter_queue  which might make it easier to play quickly.

regards,
John


On 20 May 2021 17:07:43 BST, Nils Andreas Svee <me@lochnair.net> wrote:
>Hi folks
>
>Currently my setup looks something like this: LAN <-> EdgeRouter <->
>WireGuard <-> VPS <-> Internet.
>
>CAKE for upstream is running on the EdgeRouter and downstream on the
>VPS.
>
>The public IPs are all on the VPS per today, so that the host isolation
>can do its job with NAT enabled.
>
>Ideally I'd like to route the public IPs to each endpoint and handle
>NAT-ing there, but then I'd obviously lose the ability to do proper
>host isolation.
>
>Now, I've been toying with the idea of using an userspace application
>to extract conntrack information, to let the VPS know which host hash
>it should use.
>
>I might be way of here, but I'm thinking of using NFQUEUE to mark new
>flows based on information from the EdgeRouter, and let tc filters set
>the host hash based on that mark. For performance purposes only send
>unmarked flows to NFQUEUE.
>
>I realise this is kinda overkill, but it might we a fun weekend
>project.
>
>-- 
>Best Regards,
>Nils
>
>_______________________________________________
>Cake mailing list
>Cake@lists.bufferbloat.net
>https://lists.bufferbloat.net/listinfo/cake

-- 
Sent from the Aether.

[-- Attachment #2: Type: text/html, Size: 1830 bytes --]