From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <moeller0@gmx.de>
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 4450F3B29F
 for <cake@lists.bufferbloat.net>; Wed, 12 Oct 2016 08:04:27 -0400 (EDT)
Received: from [172.17.3.48] ([134.76.241.253]) by mail.gmx.com (mrgmx003)
 with ESMTPSA (Nemesis) id 0MegbQ-1bWBoP1lm4-00OF2m; Wed, 12 Oct 2016 14:04:25
 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: moeller0 <moeller0@gmx.de>
In-Reply-To: <CACHiF8Ch8SCnkWL-CQPxqs=zMVWEZK+YmjQMynCSK0Cf8TujMQ@mail.gmail.com>
Date: Wed, 12 Oct 2016 14:04:24 +0200
Cc: cake@lists.bufferbloat.net,
 Jonathan Morton <chromatix99@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <42DC9EF5-80A0-439E-9507-085A0F566B22@gmx.de>
References: <CACHiF8BDT2E5wn6K7844sRcLZymsZskXEff=nZLQug0bgr3pwQ@mail.gmail.com>
 <4D2419FB-6649-4250-9D42-E6EDECFFCCDE@gmail.com>
 <CACHiF8D=icMJ-4okm5nDac=UsEVNtsmZ=1Mh9GffiMzZW2HU1Q@mail.gmail.com>
 <95CB6153-524D-499A-8E85-231C5098A4DB@gmx.de>
 <CACHiF8C5JSs5--U+rPgoKnE2o4VOfdKWsmv9Mq6k5kxrw5_ewA@mail.gmail.com>
 <A22638E9-B29D-43D6-839C-F589F4EAD82D@gmx.de>
 <CACHiF8D=iF4cww0QRC-UODpvC=oRmchP6jp3tT2A-=9M2piy+g@mail.gmail.com>
 <CACHiF8BH2Pfx7de8Se6pv83tHUx1enLt_pc1MBp=uSs2mD=kYA@mail.gmail.com>
 <CACHiF8Ch8SCnkWL-CQPxqs=zMVWEZK+YmjQMynCSK0Cf8TujMQ@mail.gmail.com>
To: ching lu <lsching17@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Provags-ID: V03:K0:PrJ7ELTvN2jR0KpK5hdn9vovm0h1yQs+U3Dr+37POHMY4z3iJnx
 pde6va7uhj87WIeCj6na1ItOQHKowHQZ3PKJmzA2moSzPorBVxgntpix6dMT1Oapk3/lfk0
 IcZAGNSs7XYRSMMax78OXjzoUZ9+lTHPsQhHRT5hIRsI2piuck6iDkshLYSnjVMY2iXwhN7
 zB9j+pcvgyJoaN3D4PTZQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:s8E+oPu0SFQ=:/KO5SuRRoe4ZvhdXdAkMq2
 E98NiYZOzrKfptF5frAdtEykMjTwty5Jgvi/e0iFK1VNpOGdSQgeruH/e6H3wdRa3ICblzRUj
 UiKbNFKuKI9T9zCZ9Ty02Qw/KDkfd6qKXIYRsUUR9X6LSHTH/+ZMupt7M1yOXy+h33TDDnUzk
 AFqSQhrcnGdPxZ7AaMpjrP5ykZOEIkVOJUwP4CyPJMj1lNF+E+rfyR9uV/uXSVEPU6E7SkyxC
 ZjWzXMyulAtj0C7kDGaSCUtOJMWEg0/CFxQKTwzE3jnw2OKz77zbgeifZnOToBxdHlX/9i5WG
 Mj9yVgETcXEBkrygsoXyqRqveXAFJ8Ua6hhnoVSDcUY8Nm9RuT5sBj25/+tUXvEymJ3RHKKz0
 dezwPcbLc3I5Px3aOQQ5g4QDkgw5CF3tt6zDCjYeh22RjD+UcTc03iSfwFjIBmuDEMsmODLSx
 3u40M5dC10f9M040qwALsd4r47rX9ERKRSaqXu54onkoVxWNBjMYqkYPdCjfo7YZdLvDY/Z88
 DrC9qiDUllOXckHIPuJzPqzYj+FOt1q+szGsO8JD/rAAi4ZNBOVKbUZMuC5zX/ec6n5rzPubN
 9/Df9dKHeqrtRNy/Z/tt9QtO4mvs564vF6MPLGcU8nmsYb3IUUdEOIJdNDTCxdx693w4DfygV
 qGxZFYYWG5t853c8hyJph/eaQdVlAPJLRnLXgWUTnnNnnGYYdCpRjyiDD56KnhfoY5iqwdWFD
 46nP/63KqrSmMI3tzHqnQYnxREEyUtsCzqNr6WBK4PIMhX9kcJBE7G8V2vecq1jCehjFNcu7q
 HyF7O8h
Subject: Re: [Cake] diffserv based on firewall mark
X-BeenThere: cake@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Cake - FQ_codel the next generation <cake.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cake>
List-Post: <mailto:cake@lists.bufferbloat.net>
List-Help: <mailto:cake-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cake>,
 <mailto:cake-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 12:04:27 -0000

Hi Ching?

> On Oct 12, 2016, at 12:17 , ching lu <lsching17@gmail.com> wrote:
>=20
>=20
> 2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=886:05=EF=BC=8C"moel=
ler0" <moeller0@gmx.de>=E5=AF=AB=E9=81=93=EF=BC=9A
> >
> > Hi Ching,
> >
> > > On Oct 12, 2016, at 11:35 , ching lu <lsching17@gmail.com> wrote:
> > >
> > > How to archive "cake follows iptables"? is it =E2=80=9Cwan ingress =
-> iptables
> >
> > Yes.
> >
> > > -> wifi egress/LAN egress -> ifb egress -> cake=E2=80=9D?
> >
> >         Except that if you instantiate cake on the interface =
connecting to the outers LAN/WLAN side (lets call this LAN for short), =
cake will reside on that interfaces egress and hence you require no ifb =
for traffic coming in from the internet (as a plus cake will even =
without the fancy new deNAT options see the full intrnal IP addresses, =
useful for dual and triple isolation options). In the direction facing =
the internet you can instantiate cake on an ifb interface for LAN and =
then put the iptables DSCP cleaner on the WAN egress side (and the WAN =
ingress side, unless you trust your ISP to deliver reasonable DSCP =
values, which should be like never*)
>=20
> The bandwidth shaper won=E2=80=99t work correctly if cake(s) are =
registered on multiple LAN interface, ifb is necessary
>=20
> e.g. if ingress bandwidth limit is 100M, then setting 50M on wifi, and =
50M on LAN ?

	Yes that seems true, if you instantiate cake on br-lan (which I =
believe would be the relevant interface) you will shape both wireless =
and wired traffic, but most likely also internal traffic=E2=80=A6 But =
that can be solved by one more router/AP ;)=20

>=20
> I think the diffserv support of cake model is not suitable for home =
network currently.

	I have no real opinion on that, but could you explicitly state =
what short coming you see that is a showstopper? DSCP cleaning on =
ingress is BTW not really required to happen before cake, as long as =
cake is set to besteffort it will ignore DSCP markings anyway, and if =
you want to re-map/re-classify packets vie DSCP on ingress you are =
pretty much out of scope for a typical home network. Cleaning up on =
egress, as to not leak internal configuration to the upstream seems =
indeed sub-optimal, but cake is not alone in that regard=E2=80=A6

> The setup is much more complex

	Well, DSCP setup is complex no matter how you slice and dice =
it=E2=80=A6 but maybe you have an idea what a shaper (like cake) =
could/should do to make this simpler?

Best Regards
	Sebastian

>=20
>=20
>=20
> >
> > Best Regards
> >         Sebastian
> >
> > 8) DSCP are only ever guranteed to be meaninful inside a dscp =
domain, and in reality your home net is a different domain from the =
ISP=E2=80=99s. It would have been nice if the DSCP field would have been =
separeted into 2 3bit fields, the first for the actual sender to request =
one of 8 differential classes and the other 3bits for the current domain =
to store its actually used DSCP bits. I claim the 3 bits should be =
enough for anybody  ;)
> >
> >
> > >
> > >
> > > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 <moeller0@gmx.de> wrote:
> > >> Hi,
> > >>
> > >>
> > >>> On Oct 12, 2016, at 10:11 , ching lu <lsching17@gmail.com> =
wrote:
> > >>>
> > >>> For egress, setting DSCP field should work.
> > >>>
> > >>> iptables -> wan egress -> cake
> > >>>
> > >>> But is it possible to set DSCP to 0x0 after cake's =
classification? i
> > >>> do not know how ISP handle non-zero DSCP, there seems to be no
> > >>> standard for this.
> > >>
> > >>        Interestingly cake, at some point in the past offered =
exactly that functionality, but it got removed due to added complexity =
with very little practical applicability (and a potential layering =
violation, but one could equally argue that the current layering is =
partly sub-optimal/wrong and hence violating it to better reflect =
reality might be acceptable). But current cake does not offer this. If =
you are willing to daisy-chain two routers, you could run cake on the =
respective egress interfaces connecting both routers, and do the DSCP =
cleaning on the outer router=E2=80=99s egress interface toward the =
internet=E2=80=A6
> > >>
> > >>>
> > >>>
> > >>> For ingress, DSCP field may not be set by network peer at all, =
and i
> > >>> have multiple LAN interfaces
> > >>>
> > >>> AFAIK, the order is "wan ingress -> ifb egress -> cake -> =
iptables"
> > >>>
> > >>> The trick of setting DSCP by iptables do not work because cake =
comes first
> > >>
> > >>        Hence Jonathan=E2=80=99s recommendation to make sure that =
cake follows iptables, by setting it up on egress interfaces only=E2=80=A6=

> > >>
> > >> Best Regards
> > >>        Sebastian
> > >>
> > >>>
> > >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton =
<chromatix99@gmail.com> wrote:
> > >>>>
> > >>>>> On 12 Oct, 2016, at 08:52, ching lu <lsching17@gmail.com> =
wrote:
> > >>>>>
> > >>>>> I deprioritize bittorrent traffic by marking related =
connections in
> > >>>>> iptables (e.g. detect by port number) and route them to =
corresponding
> > >>>>> HTB class and qdisc.
> > >>>>>
> > >>>>> How can i archive the same goal using the cake qdisc?
> > >>>>
> > >>>> Modify your iptables rules to set the DSCP rather than a =
kernel-internal mark.  You probably want "-j DSCP =E2=80=94set-dscp-class =
CS1=E2=80=9D, as CS1 is the =E2=80=9Cbulk low priority=E2=80=9D code.  =
Cake=E2=80=99s default Diffserv mode will pick that up appropriately.
> > >>>>
> > >>>> You also need to make sure Cake sees your packets *after* =
they=E2=80=99ve been through the firewall, which generally means =
attaching it to the egress port in each direction, not the ingress port. =
 You=E2=80=99ve probably already done this, if you=E2=80=99re happy with =
your HTB setup.
> > >>>>
> > >>>> If you have multiple LAN interfaces (eg, both Ethernet and =
wifi), you should loop the inbound traffic through a common IFB device =
(and attach Cake to that instead of the physical interfaces) to simplify =
configuration.
> > >>>>
> > >>>> - Jonathan Morton
> > >>>>
> > >>> _______________________________________________
> > >>> Cake mailing list
> > >>> Cake@lists.bufferbloat.net
> > >>> https://lists.bufferbloat.net/listinfo/cake
> > >>
> >
>=20