From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id DEC473CB35 for ; Fri, 21 May 2021 11:51:08 -0400 (EDT) Received: (Authenticated sender: jcsmail@sager.me.uk) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 5EBF7FF802 for ; Fri, 21 May 2021 15:51:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sager.me.uk; s=gm1; t=1621612267; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pdyZTefi3uKoGaq/2IM3xm+7ueKSCR6zWSUZits1Iug=; b=ESy54XRdH9RLswRBe5rcRx3WzxOAdfe3b6syE0+BppkTXScUoSFs3JMZjISbz4sA+pYlVp Av4Mm+btR/gVV9mGKadHVMwlrTR/BhN++XLQwUYAuP4n9XRqrIILMMz1ofBQVhGkcPLZXr FwfJwQUqQ8dNNrzFAzWzLJCBRZVavuOxZbdXrTMkOPGjyrhdCSe2Ce7rGzF4cKlbPTYcVv isbIZG4J51xJbxsYuzhOFjrrprdSjLqS6Ox6FkgpGNc0kIB3CqYyWF2wsFT9xzzSAsC7WR KR/xoMrLrvIt3dWiVImKn9wQ69HeH0rg9crhfMryP/1qvFNEbMgVlO3TvqMaPw== Received: from [192.168.240.4] by mainserver.wc with esmtp (Exim 4.93) (envelope-from ) id 1lk7QY-0015PT-ER for cake@lists.bufferbloat.net; Fri, 21 May 2021 16:51:06 +0100 Date: Fri, 21 May 2021 16:51:04 +0100 User-Agent: K-9 Mail for Android In-Reply-To: <91d484ec338c58f622c25285bf4ff8658fde4a03.camel@lochnair.net> References: <91d484ec338c58f622c25285bf4ff8658fde4a03.camel@lochnair.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----7NZCDA9LHC44LRE2S44V7V0QRBNSWA" Content-Transfer-Encoding: 7bit To: cake@lists.bufferbloat.net From: John Sager Message-ID: <2BB2622F-69F0-4ED3-9A85-3FF96D618F21@sager.me.uk> Subject: Re: [Cake] CAKE host isolation modes with NAT - two routers X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2021 15:51:09 -0000 ------7NZCDA9LHC44LRE2S44V7V0QRBNSWA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I did something similar some years ago in an attempt to divine video server= s (eg YouTube) from their TLS certificates in Https connections to mark the= connection appropriately=2E The nfqueue stuff worked beautifully, the cert= stuff less so, so I abandoned it=2E With the latest TLS version the cert s= tuff is no longer visible anyway=2E There is a Python binding to libnetfilter_queue which might make it easie= r to play quickly=2E regards, John On 20 May 2021 17:07:43 BST, Nils Andreas Svee wrote: >Hi folks > >Currently my setup looks something like this: LAN <-> EdgeRouter <-> >WireGuard <-> VPS <-> Internet=2E > >CAKE for upstream is running on the EdgeRouter and downstream on the >VPS=2E > >The public IPs are all on the VPS per today, so that the host isolation >can do its job with NAT enabled=2E > >Ideally I'd like to route the public IPs to each endpoint and handle >NAT-ing there, but then I'd obviously lose the ability to do proper >host isolation=2E > >Now, I've been toying with the idea of using an userspace application >to extract conntrack information, to let the VPS know which host hash >it should use=2E > >I might be way of here, but I'm thinking of using NFQUEUE to mark new >flows based on information from the EdgeRouter, and let tc filters set >the host hash based on that mark=2E For performance purposes only send >unmarked flows to NFQUEUE=2E > >I realise this is kinda overkill, but it might we a fun weekend >project=2E > >--=20 >Best Regards, >Nils > >_______________________________________________ >Cake mailing list >Cake@lists=2Ebufferbloat=2Enet >https://lists=2Ebufferbloat=2Enet/listinfo/cake --=20 Sent from the Aether=2E ------7NZCDA9LHC44LRE2S44V7V0QRBNSWA Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable I did something similar some years ago in an attem= pt to divine video servers (eg YouTube) from their TLS certificates in Http= s connections to mark the connection appropriately=2E The nfqueue stuff wor= ked beautifully, the cert stuff less so, so I abandoned it=2E With the late= st TLS version the cert stuff is no longer visible anyway=2E

There i= s a Python binding to libnetfilter_queue which might make it easier to pla= y quickly=2E

regards,
John


= On 20 May 2021 17:07:43 BST, Nils Andreas Svee <me@lochnair=2Enet> wr= ote:
Hi folks

Currently my setup looks something l=
ike this: LAN <-> EdgeRouter <->
WireGuard <-> VPS <=
;-> Internet=2E

CAKE for upstream is running on the EdgeRouter an=
d downstream on the
VPS=2E

The public IPs are all on the VPS per =
today, so that the host isolation
can do its job with NAT enabled=2E
=

Ideally I'd like to route the public IPs to each endpoint and handleNAT-ing there, but then I'd obviously lose the ability to do proper
hos=
t isolation=2E

Now, I've been toying with the idea of using an users=
pace application
to extract conntrack information, to let the VPS know w=
hich host hash
it should use=2E

I might be way of here, but I'm t=
hinking of using NFQUEUE to mark new
flows based on information from the=
 EdgeRouter, and let tc filters set
the host hash based on that mark=2E =
For performance purposes only send
unmarked flows to NFQUEUE=2E

I=
 realise this is kinda overkill, but it might we a fun weekend
project=
=2E

--
Sent from the Aether=2E ------7NZCDA9LHC44LRE2S44V7V0QRBNSWA--