From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.toke.dk (mail.toke.dk [IPv6:2a0c:4d80:42:2001::664]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 01D273B29E for ; Sun, 6 Jun 2021 17:01:28 -0400 (EDT) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1623013286; bh=HBFCGTruCiRDvXIaO8oBbn5bbjwGT30zi3dzFHKrCX8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=nO5dWRtYH8Msqw09euvsNz+uTTvpFlkgMABmmmFpVgjnmoXIq3uZIhvq13WY+1P0a T40ZcV2RXj86kdBtDy9iS0zi7FBiW1XEVONb3KzdKfEMygkFrDybrhW1o81mhqeWNj 89Lk+/+M9NF/0LFnGhzgRXm23oxz1tYn1Xj77YxUroU7YwmUvMcCTSiOLi9du1jE94 RXCU/EeJrmDW5HLkhBa5cqc6Pcvan4goAQjVbpcd9w+l5E4etHTqRtwlbPc1SMzUi9 yTVNHoQkJXsVIfS4W8+9Hnvbg4GRWrXFgok3kRiWYfkepsyNlHtkhQCYAj5QimLXbP 5bOKgNF4vn9Yg== To: Pete Heist Cc: Cake List In-Reply-To: References: <22f3032d0dfd47f53d4d6595ee6bd192377fbc6e.camel@heistp.net> <87h7iawyr1.fsf@toke.dk> Date: Sun, 06 Jun 2021 23:01:26 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <87eedewvvd.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cake] customizing Cake's isolation with ipsets, tc-flow and eBPF X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2021 21:01:29 -0000 Pete Heist writes: > On Sun, 2021-06-06 at 21:59 +0200, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >> Pete Heist writes: >>=20 >> > I've always wanted a way to customize Cake's host and flow isolation >> > in >> > a way that would be usable e.g. for small ISPs, and this is what I >> > came >> > up with: >> >=20 >> > https://github.com/heistp/cake-custom-isolation >> >=20 >> > ipsets are used to set the skb priority or mark, then tc-flow or a >> > simple eBPF classifier is used in a child filter of cake to get the >> > major and minor class IDs set, which override the host and flow >> > hashes. >>=20 >> Very cool! Awesome to see the customisation options being used for >> something neat like this! :) >>=20 >> > To show it in action, the cakeiso.sh script sets up a netns >> > environment >> > and runs competition between two "subscribers" and three flows, two >> > TCP >> > flows and one unresponsive UDP flow. Several configurations are run >> > to >> > show what is and isn't possible. >> >=20 >> > If anyone knows of a simpler way than eBPF to get both the major and >> > minor class ID set from ipsets, I'd like to hear it, but the included >> > classifiers are at least very simple one-liners... >>=20 >> Well, you could go the other way? Instead of ipset, just do the >> classification in eBPF and use a BPF map to store the IP addresses. >> There's even an LPM map type, so you can use arbitrary prefix lengths >> for each class (or not, and just use a hashmap)... > > True that, I started something like that at some point: > > https://github.com/heistp/tc-users/ > > but I think I got a little overzealous with it. I'm not sure if/when > I'll get back to that, but the ipset solution seems to be "good enough" > for what I (and my ISP) needs. I'm glad you slipped the tc filter > overrides in before Cake went out the door. :) Yes! I would love to take credit for the idea, but this came from the netdev review. I agree though, great that it ended up in there! > This doesn't do away with the possible need for a full-blown ISP qdisc > one day, with configurable subscriber tiers, handling of higher loads, > etc, but at least it's something for the little guys. Yeah; I have something in the pipeline that will hopefully end up being useable for that, but may take a little while to get there :) -Toke