From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 8D0303B25E for ; Wed, 12 Oct 2016 06:05:16 -0400 (EDT) Received: from [172.17.3.48] ([134.76.241.253]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M9b4B-1bhv0u0UqV-00Czg0; Wed, 12 Oct 2016 12:05:15 +0200 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: moeller0 In-Reply-To: Date: Wed, 12 Oct 2016 12:05:14 +0200 Cc: Jonathan Morton , cake@lists.bufferbloat.net Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D2419FB-6649-4250-9D42-E6EDECFFCCDE@gmail.com> <95CB6153-524D-499A-8E85-231C5098A4DB@gmx.de> To: ching lu X-Mailer: Apple Mail (2.2104) X-Provags-ID: V03:K0:a2IS0bbc3VNYIWviJUNephAIHgosV2LSvf7izbluyvkOqvAgZMP rDi0+O14k75PNoiEFhYQvDgbs1VVwftf9kO9pjdrLIwuu+tbG5PWhxnnrAsqX/EXxbycGxp cMM+20v2aL/w8ZgrcL4SnzogNb8/GEpGoY4pDg/ld1958h5Sv8nO/7woB3qg8iU3sskUrUj u9roYHHGPV5xqEwydadJQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:NIQjR6v2EwM=:IRHrhjltZ2Z1LUjbciSZdl /bBq62Y6YIw3aITYVGsjxP824DkzAkzIzXpiQqnsn2TvZz0jmL8MrW9dn7hMGHXjZ53gN5IbB 7n31S2FOK4lCfqdXFchU1Ug1S4IVwxTLv71fk8S8ds+kJARlzcy477ZGCfGGzmkagGdLfAkUu tMzFPmK36Hsz1S7Ftika35edqgP7yx0K1IgpuKUIS2zImNub9hOU/pOpYlKjgZlk5sfEjhSW4 YvHQwL1530OnmRQjqbuAGPVw2b9DfxLhAwkShl3I13jxYS1Q7BWgmdgY5jRuyizzxAaIM6uC7 VxxO3HnMHggL1euG/LNrwekcr9ONg/IZBZIDLuNkqYIzoJ/Fej7Bmm++EMISwlT1vdnxiga+4 66I17HVbfQgPM1f9BKoYY9OtIvZt9MI+0gXpLpiGJWIM3e6YEGTogkbYcY5LRXuctT2Th/KBs 9/YV6AKEm9g6MXooRkQkoHUHuyqUU7vhPgcLDob4gDgc36buI5OZucpe6hfwsta9EPWdHOBYA VQJ1LjR+caHZB65TYffbwRVF7k2qDqc2Wr/aH1p7JIeRETUH52qEP1TRm2zBnqjf78+axuy8X oWNs/+M6l6gIgT0b88BvqxAPNhelF4Q2bETfEivJcvcunZ3MSWT6GrqjzOFbR1bAmQG3D1dpX NEeH985IFhA1U9hrk0mn0CS86dU9dhmFoIVCxkfHTo/yyD0XVTRjLq+hY8MwZ4tnKDUvRUOwU Daxb+5ARSDE8oQ+0h8H/BVOUF57BzYvauhfkDfq1c6aBX419Ih/Ev+hoIW9PjEF/Cu+MJYqs8 LUYuiPB Subject: Re: [Cake] diffserv based on firewall mark X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 10:05:16 -0000 Hi Ching, > On Oct 12, 2016, at 11:35 , ching lu wrote: >=20 > How to archive "cake follows iptables"? is it =E2=80=9Cwan ingress -> = iptables Yes. > -> wifi egress/LAN egress -> ifb egress -> cake=E2=80=9D? Except that if you instantiate cake on the interface connecting = to the outers LAN/WLAN side (lets call this LAN for short), cake will = reside on that interfaces egress and hence you require no ifb for = traffic coming in from the internet (as a plus cake will even without = the fancy new deNAT options see the full intrnal IP addresses, useful = for dual and triple isolation options). In the direction facing the = internet you can instantiate cake on an ifb interface for LAN and then = put the iptables DSCP cleaner on the WAN egress side (and the WAN = ingress side, unless you trust your ISP to deliver reasonable DSCP = values, which should be like never*) Best Regards Sebastian 8) DSCP are only ever guranteed to be meaninful inside a dscp domain, = and in reality your home net is a different domain from the ISP=E2=80=99s.= It would have been nice if the DSCP field would have been separeted = into 2 3bit fields, the first for the actual sender to request one of 8 = differential classes and the other 3bits for the current domain to store = its actually used DSCP bits. I claim the 3 bits should be enough for = anybody ;) >=20 >=20 > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 wrote: >> Hi, >>=20 >>=20 >>> On Oct 12, 2016, at 10:11 , ching lu wrote: >>>=20 >>> For egress, setting DSCP field should work. >>>=20 >>> iptables -> wan egress -> cake >>>=20 >>> But is it possible to set DSCP to 0x0 after cake's classification? i >>> do not know how ISP handle non-zero DSCP, there seems to be no >>> standard for this. >>=20 >> Interestingly cake, at some point in the past offered exactly = that functionality, but it got removed due to added complexity with very = little practical applicability (and a potential layering violation, but = one could equally argue that the current layering is partly = sub-optimal/wrong and hence violating it to better reflect reality might = be acceptable). But current cake does not offer this. If you are willing = to daisy-chain two routers, you could run cake on the respective egress = interfaces connecting both routers, and do the DSCP cleaning on the = outer router=E2=80=99s egress interface toward the internet=E2=80=A6 >>=20 >>>=20 >>>=20 >>> For ingress, DSCP field may not be set by network peer at all, and i >>> have multiple LAN interfaces >>>=20 >>> AFAIK, the order is "wan ingress -> ifb egress -> cake -> iptables" >>>=20 >>> The trick of setting DSCP by iptables do not work because cake comes = first >>=20 >> Hence Jonathan=E2=80=99s recommendation to make sure that cake = follows iptables, by setting it up on egress interfaces only=E2=80=A6 >>=20 >> Best Regards >> Sebastian >>=20 >>>=20 >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton = wrote: >>>>=20 >>>>> On 12 Oct, 2016, at 08:52, ching lu wrote: >>>>>=20 >>>>> I deprioritize bittorrent traffic by marking related connections = in >>>>> iptables (e.g. detect by port number) and route them to = corresponding >>>>> HTB class and qdisc. >>>>>=20 >>>>> How can i archive the same goal using the cake qdisc? >>>>=20 >>>> Modify your iptables rules to set the DSCP rather than a = kernel-internal mark. You probably want "-j DSCP =E2=80=94set-dscp-class = CS1=E2=80=9D, as CS1 is the =E2=80=9Cbulk low priority=E2=80=9D code. = Cake=E2=80=99s default Diffserv mode will pick that up appropriately. >>>>=20 >>>> You also need to make sure Cake sees your packets *after* they=E2=80=99= ve been through the firewall, which generally means attaching it to the = egress port in each direction, not the ingress port. You=E2=80=99ve = probably already done this, if you=E2=80=99re happy with your HTB setup. >>>>=20 >>>> If you have multiple LAN interfaces (eg, both Ethernet and wifi), = you should loop the inbound traffic through a common IFB device (and = attach Cake to that instead of the physical interfaces) to simplify = configuration. >>>>=20 >>>> - Jonathan Morton >>>>=20 >>> _______________________________________________ >>> Cake mailing list >>> Cake@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/cake >>=20