From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 112C23B2A4 for ; Fri, 8 Feb 2019 08:14:41 -0500 (EST) Received: by mail-ed1-f53.google.com with SMTP id h50so2727853ede.5 for ; Fri, 08 Feb 2019 05:14:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=KdJ/LYf65Xx3MJ3ewcuI+1eoedUxwZNIGrWrVQ1KGPU=; b=NILCxu2HHxlHwUNiDdbAam7BES0N2MDrrUfOUVA8m2O7i42s/lgFNOWxsHM4QdUrNG KFoRZ0PgCk40ORBIeYDh7yFsfefeDH+xiCLEEIA48sUqPeX6ZR/p/dBEfBW/b147mhFj z5Wx9LS3G5jDzUySZdYdZGt3Y+fYo9ukI3TmXnPIvYlyqPaZeu6mWJJDBZysi6fmigDT 7DYHu6GT4oWTB7a1bcOzS5eVpMe0frNmL8K8ri6jA3svVL3poqcCHCdzQ6tB6uGTJgC8 2Mfiye6e0Vh4li7LpNVVb29NHE3rAsxeGYXN76MU306zTSv9StfuLTMOGwVt0tEvR967 Vk4w== X-Gm-Message-State: AHQUAuZp21PiP0WmrkTdA9v8Np3jo6zbPwHP/jg+90PNPqEGNQ0+CIpf MfVhHoNKR3E/8VHYiY5IjlFlf1XYNTs= X-Google-Smtp-Source: AHgI3IaMaFRgCRHrpNiDRIkTlsrJeURQVFizD5aNHLvtVdbyZwgLE3wPDZgDj3VDBl9yM9r9xzY+kg== X-Received: by 2002:a50:ad84:: with SMTP id a4mr16781925edd.253.1549631680052; Fri, 08 Feb 2019 05:14:40 -0800 (PST) Received: from alrua-x1.borgediget.toke.dk (borgediget.toke.dk. [85.204.121.218]) by smtp.gmail.com with ESMTPSA id t26sm471363ejs.48.2019.02.08.05.14.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 08 Feb 2019 05:14:38 -0800 (PST) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 551821825E5; Wed, 6 Feb 2019 14:54:14 +0100 (CET) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= To: Kevin Darbyshire-Bryant , John Sager Cc: "cake\@lists.bufferbloat.net" In-Reply-To: <65D66C9D-6C65-4307-87AE-35DC93EC5AE1@darbyshire-bryant.me.uk> References: <10501006-3062-47C2-BA2B-4D73155069C1@darbyshire-bryant.me.uk> <2ffe2d11-ed65-6dde-881f-997afa3d8485@sager.me.uk> <65D66C9D-6C65-4307-87AE-35DC93EC5AE1@darbyshire-bryant.me.uk> X-Clacks-Overhead: GNU Terry Pratchett Date: Wed, 06 Feb 2019 14:54:14 +0100 Message-ID: <8736p1qayh.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cake] Ingress classification X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 13:14:41 -0000 Kevin Darbyshire-Bryant writes: >> On 5 Feb 2019, at 13:38, John Sager wrote: >>=20 >> As you say, an unsolicited incoming packet doesn't get marked. However it >> creates a conntrack record with zero mark. What you then do is to mark t= he >> conntrack record later so that all subsequent packets on that connection= get >> marked by 'action connmark'. So the first packet gets classified on ifb = to >> some low priority queue, but subsequent ones go where they should. >>=20 >> I do this for incoming ssh and VPN connections, though I'm using >> htb/fq_codel rather than cake at the moment. >>=20 > > Thank you John, that has confirmed my understanding that in essence > it=E2=80=99s not possible in linux to mangle/mark the first packet on ing= ress > and you ideally need the DSCP to be correct. Not with iptables, but you can do it with tc filters. Either by writing a BPF filter, or by using the pedit action (which actually changes bytes in the packet unlike skbedit). -Toke