From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id B63923B29F for ; Wed, 12 Oct 2016 09:07:34 -0400 (EDT) Received: from [172.17.3.48] ([134.76.241.253]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MJGFi-1brZR03q1K-002qmF; Wed, 12 Oct 2016 15:07:32 +0200 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: moeller0 In-Reply-To: Date: Wed, 12 Oct 2016 15:07:32 +0200 Cc: cake@lists.bufferbloat.net, Jonathan Morton Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D2419FB-6649-4250-9D42-E6EDECFFCCDE@gmail.com> <95CB6153-524D-499A-8E85-231C5098A4DB@gmx.de> <42DC9EF5-80A0-439E-9507-085A0F566B22@gmx.de> To: ching lu X-Mailer: Apple Mail (2.2104) X-Provags-ID: V03:K0:BnXjvI2g4P1GKiPnk3AqHwLl7BLGenHs8qJeAFbwBCvmWKntvAN Cw36yLNcgjxhLOFkjzYesauzE50oMHHvzS8DZIPW2+jblvwWAWsTant64LoJVbNq8ir4RBH B4pdN2Rh/C0z0OfVoYHTGSpokHM/Eq94APN+75nGRq5diF+1VOk6BvNs45jX4RhLJSPqdCQ aLzQazlLJyd2kQ1Y5CA/Q== X-UI-Out-Filterresults: notjunk:1;V01:K0:UOF003H1Ylo=:lSLoSkrz1r1L2eZ887WDgE lJELinN8MgZ9J899YxC4JKJCCa7B99pVkviKj6R/3yvvmLCf9YRtNHyB1CGP7vpt5okr+JYLc NQQ5ls/bSsIRIh04xBFlW6kuWvNpais2frHzRp+sNwLYC9tdgc2XM/y6z9c7pOh9fyZ0YvwK2 vUpjeaFJpTOAL4ivGEG2+WzxrUKDDM8+zH2Ye+blmkt9v6SOkFGIaik0G2BA7sJ6y4RlE1Cx7 cK6GM7rzBBXyMWFdSD+gIBN5emUC5hff7+ZWKZjJ4rgbPf7XCx7dXakhZOefaoClbQXEBCfjB 47a+Zk5E/i1+uUovHRYVN+0YHEVR39ReEG2mdwTrZGfh+UTHYNGMWsl1J237GbJEfNnQwwZ8r ELE7e4BNMo0q+E4FzKvaTUbbIcaR8LcEtBARmaS8s5U5nhV+edb2vxA/trruIOVa7sPXsFn7X gxMSYrNb2QqacweISdAQHZ+z2kN3OwYhYVAo0TOLi6HMcH/o7INWPk66t9dmhsbGJ3LjOQIJd GcxbSD2b3baWvOIUtuGJWtN4+4h1Ii10CGaleYsi//fEeZT/WYfnuL5fbxKuBK6u/ou3q5wRE SeBT1D+Jjc0gR5gn76Ftp+7gekCwDFq/LFX89baiEKqBjfuoqo0KhWSx2V5rCo+lQQUCNVNAJ 8MPfOf6Km3EjwngTCOGr+26YCdpIP/EcCulzqSS5PkZACDtiYgX5J9cRKpb6Z/az7L8CFzLxp ONESfakzo/Sid5niTLy48V0gBNnaSyUx34FXG64vM1NovytSp0eGwibTbuvqsT2NfW/zSzkiU kBnUQEa Subject: Re: [Cake] diffserv based on firewall mark X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 13:07:35 -0000 Hi Ching, > On Oct 12, 2016, at 14:40 , ching lu wrote: >=20 > There is no need for cleansing dscp for wan ingress, I think it is = unnecessary, too >=20 > In https://www.bufferbloat.net/projects/codel/wiki/Cake/ >=20 > There is a statement: >=20 > =E2=80=9CThe only way we know how to =E2=80=9Cfix=E2=80=9D bittorrent = is to classify it somewhat, somehow, as =E2=80=9Cbackground=E2=80=9D." Which was true at the time. In the mean time cake grew new = =E2=80=9Cisolation=E2=80=9D modes that will attempt to provide on a = first level per-(internal)-IP-address fairness and iside each internal = IP-address =E2=80=9Cband=E2=80=9D also per-flow fairness. This should = allow to restrict the bad effect of bit-torrent traffic on the machine = actually running the torrent client. Which seems like a goos compromise = since most torrent clients allow configurations to alleviate the issue = somewhat for that specific machine (like bandwidth limits). These = additional modes do require a bit of testing and especially on ingress = they will not be 100% robust (too many in-rushing bit-torrent = connections might cause buffers upstream of the cake-managed link to = fill and cause increased latency), but that just comes with = instantiating a shaper on the wrong end of the real bottleneck. As a = sidenote the more bandwidth difference exist between real bottleneck and = the artifical cake-managed bottleneck the better ingress shaping will = work=E2=80=A6 >=20 > But in fact, there is no simply way to classify bittorrent INGRESS = traffic Yes, and no=E2=80=A6 >=20 > DSCP -> unreliable, easily spoofed by attacker, and the value is most = likely 0x0\ Well, if BT clients would mark CS1/BK that would be a decent 1st = step, except that will also tell ISPs which packets to drop first=E2=80=A6= (which might be actually in the users interest) > firewall mark -> cake do not use firewall mark/connmark If you can firewall mark you can also re-map dscp=E2=80=A6 But I = believe the real issue is that bit-torrent was designed to have no clear = unambiguous signature so figuring out which packets belong to = bit-torrent flows is the tricky bit=E2=80=A6 >=20 > Finally, I guess most likely home users will use bit torrent. But that is a guess? Numbers/real data would be better; that = said with even windows update allowing peer-to-peer distribution of = updates bit-torrent-like traffic probably is something most home-users = will see occasionally. Best Regards Sebastian >=20 > 2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=888:04=EF=BC=8C"moel= ler0" =E5=AF=AB=E9=81=93=EF=BC=9A > Hi Ching? >=20 > > On Oct 12, 2016, at 12:17 , ching lu wrote: > > > > > > 2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=886:05=EF=BC=8C"mo= eller0" =E5=AF=AB=E9=81=93=EF=BC=9A > > > > > > Hi Ching, > > > > > > > On Oct 12, 2016, at 11:35 , ching lu = wrote: > > > > > > > > How to archive "cake follows iptables"? is it =E2=80=9Cwan = ingress -> iptables > > > > > > Yes. > > > > > > > -> wifi egress/LAN egress -> ifb egress -> cake=E2=80=9D? > > > > > > Except that if you instantiate cake on the interface = connecting to the outers LAN/WLAN side (lets call this LAN for short), = cake will reside on that interfaces egress and hence you require no ifb = for traffic coming in from the internet (as a plus cake will even = without the fancy new deNAT options see the full intrnal IP addresses, = useful for dual and triple isolation options). In the direction facing = the internet you can instantiate cake on an ifb interface for LAN and = then put the iptables DSCP cleaner on the WAN egress side (and the WAN = ingress side, unless you trust your ISP to deliver reasonable DSCP = values, which should be like never*) > > > > The bandwidth shaper won=E2=80=99t work correctly if cake(s) are = registered on multiple LAN interface, ifb is necessary > > > > e.g. if ingress bandwidth limit is 100M, then setting 50M on wifi, = and 50M on LAN ? >=20 > Yes that seems true, if you instantiate cake on br-lan (which = I believe would be the relevant interface) you will shape both wireless = and wired traffic, but most likely also internal traffic=E2=80=A6 But = that can be solved by one more router/AP ;) >=20 > > > > I think the diffserv support of cake model is not suitable for home = network currently. >=20 > I have no real opinion on that, but could you explicitly state = what short coming you see that is a showstopper? DSCP cleaning on = ingress is BTW not really required to happen before cake, as long as = cake is set to besteffort it will ignore DSCP markings anyway, and if = you want to re-map/re-classify packets vie DSCP on ingress you are = pretty much out of scope for a typical home network. Cleaning up on = egress, as to not leak internal configuration to the upstream seems = indeed sub-optimal, but cake is not alone in that regard=E2=80=A6 >=20 > > The setup is much more complex >=20 > Well, DSCP setup is complex no matter how you slice and dice = it=E2=80=A6 but maybe you have an idea what a shaper (like cake) = could/should do to make this simpler? >=20 > Best Regards > Sebastian >=20 > > > > > > > > > > > > Best Regards > > > Sebastian > > > > > > 8) DSCP are only ever guranteed to be meaninful inside a dscp = domain, and in reality your home net is a different domain from the = ISP=E2=80=99s. It would have been nice if the DSCP field would have been = separeted into 2 3bit fields, the first for the actual sender to request = one of 8 differential classes and the other 3bits for the current domain = to store its actually used DSCP bits. I claim the 3 bits should be = enough for anybody ;) > > > > > > > > > > > > > > > > > > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 = wrote: > > > >> Hi, > > > >> > > > >> > > > >>> On Oct 12, 2016, at 10:11 , ching lu = wrote: > > > >>> > > > >>> For egress, setting DSCP field should work. > > > >>> > > > >>> iptables -> wan egress -> cake > > > >>> > > > >>> But is it possible to set DSCP to 0x0 after cake's = classification? i > > > >>> do not know how ISP handle non-zero DSCP, there seems to be no > > > >>> standard for this. > > > >> > > > >> Interestingly cake, at some point in the past offered = exactly that functionality, but it got removed due to added complexity = with very little practical applicability (and a potential layering = violation, but one could equally argue that the current layering is = partly sub-optimal/wrong and hence violating it to better reflect = reality might be acceptable). But current cake does not offer this. If = you are willing to daisy-chain two routers, you could run cake on the = respective egress interfaces connecting both routers, and do the DSCP = cleaning on the outer router=E2=80=99s egress interface toward the = internet=E2=80=A6 > > > >> > > > >>> > > > >>> > > > >>> For ingress, DSCP field may not be set by network peer at all, = and i > > > >>> have multiple LAN interfaces > > > >>> > > > >>> AFAIK, the order is "wan ingress -> ifb egress -> cake -> = iptables" > > > >>> > > > >>> The trick of setting DSCP by iptables do not work because cake = comes first > > > >> > > > >> Hence Jonathan=E2=80=99s recommendation to make sure = that cake follows iptables, by setting it up on egress interfaces = only=E2=80=A6 > > > >> > > > >> Best Regards > > > >> Sebastian > > > >> > > > >>> > > > >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton = wrote: > > > >>>> > > > >>>>> On 12 Oct, 2016, at 08:52, ching lu = wrote: > > > >>>>> > > > >>>>> I deprioritize bittorrent traffic by marking related = connections in > > > >>>>> iptables (e.g. detect by port number) and route them to = corresponding > > > >>>>> HTB class and qdisc. > > > >>>>> > > > >>>>> How can i archive the same goal using the cake qdisc? > > > >>>> > > > >>>> Modify your iptables rules to set the DSCP rather than a = kernel-internal mark. You probably want "-j DSCP =E2=80=94set-dscp-class = CS1=E2=80=9D, as CS1 is the =E2=80=9Cbulk low priority=E2=80=9D code. = Cake=E2=80=99s default Diffserv mode will pick that up appropriately. > > > >>>> > > > >>>> You also need to make sure Cake sees your packets *after* = they=E2=80=99ve been through the firewall, which generally means = attaching it to the egress port in each direction, not the ingress port. = You=E2=80=99ve probably already done this, if you=E2=80=99re happy with = your HTB setup. > > > >>>> > > > >>>> If you have multiple LAN interfaces (eg, both Ethernet and = wifi), you should loop the inbound traffic through a common IFB device = (and attach Cake to that instead of the physical interfaces) to simplify = configuration. > > > >>>> > > > >>>> - Jonathan Morton > > > >>>> > > > >>> _______________________________________________ > > > >>> Cake mailing list > > > >>> Cake@lists.bufferbloat.net > > > >>> https://lists.bufferbloat.net/listinfo/cake > > > >> > > > > > >=20