From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 7D61C3B29F for ; Wed, 12 Oct 2016 08:40:06 -0400 (EDT) Received: by mail-oi0-x22b.google.com with SMTP id d132so58977514oib.2 for ; Wed, 12 Oct 2016 05:40:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Z+WU/OwiX5QJ9sAjGYnbSaesMf/KstiyGP0Q0swh4Us=; b=qVy7iD2osZNEP1C3yf+lnkN9MFLF+l0Qw8Xdc8lp+TL+Oi3aPuUXD0bfOX+cYmAkmQ eJQHd+OiPDtm3VLUWXXsnfukO0ocSI8ixHQ4Qj3ca81sG7moIVHFqZywQh0B2GN+F26C twHxSBaG8m8Od96b7FeP8lUA4oh2Bvzb06gzDRhdw05sUiaLOzV91XLrFZDZ5PbTcfB6 WaYqM+zwcEMIRi5LWAqoFLCzpCwcWLavoASXy8jWcxwvVC6oG99zG8P5pa+u2uRFDVKL TB2eRUU/AHep3dFTTHT7VCfVr3CXmWbE2i5wW45Mw7cgnSW51P1cXlP81M+uhtFK07ij RPZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Z+WU/OwiX5QJ9sAjGYnbSaesMf/KstiyGP0Q0swh4Us=; b=cMgmeS3GgFejHn4Fjp8QQ7qnjQphrMhuUmu5A4pQ/gawjXKNrJBpWBJZWMuYaJdM0t z/T1Nr1DGj1C8qrN9prnkGDZOV+QA2yWvdVGCEiTveO0d16EfDFgZkouJSflTXZpD3Xt GYk1cuNS2cDhKVXmSI260Qp6cn+dLmpdlJNcezkVQcKZwcUBMe8osVTb3W0E9aCnLPTd 1xvLCTuH5ik30/dLBNnUMbn67a92Si3UsJgcDN9yafovZW61+GfQLeWz6jTGY+PSVG+A pVWfIHwGIfFTZngWrGaThlMMX7AtUrzPyml667xeBh7wJ0qwQBKVnGN3VpMmFLEne6cs j+aQ== X-Gm-Message-State: AA6/9RkjodVigVcHkhoqh54JakqUDrrHABzDwRlr2kRfRKgnTlAS8Bq1wrwlkC8p4tVl1S5uoAutKPebB8Mleg== X-Received: by 10.157.53.59 with SMTP id o56mr435530otc.179.1476276005967; Wed, 12 Oct 2016 05:40:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.49.136 with HTTP; Wed, 12 Oct 2016 05:40:04 -0700 (PDT) Received: by 10.202.49.136 with HTTP; Wed, 12 Oct 2016 05:40:04 -0700 (PDT) In-Reply-To: <42DC9EF5-80A0-439E-9507-085A0F566B22@gmx.de> References: <4D2419FB-6649-4250-9D42-E6EDECFFCCDE@gmail.com> <95CB6153-524D-499A-8E85-231C5098A4DB@gmx.de> <42DC9EF5-80A0-439E-9507-085A0F566B22@gmx.de> From: ching lu Date: Wed, 12 Oct 2016 20:40:04 +0800 Message-ID: To: moeller0 Cc: cake@lists.bufferbloat.net, Jonathan Morton Content-Type: multipart/alternative; boundary=001a11c0232ced2016053eaa4a2b Subject: Re: [Cake] diffserv based on firewall mark X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 12:40:06 -0000 --001a11c0232ced2016053eaa4a2b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable There is no need for cleansing dscp for wan ingress, I think it is unnecessary, too In https://www.bufferbloat.net/projects/codel/wiki/Cake/ There is a statement: "The only way we know how to =E2=80=9Cfix=E2=80=9D bittorrent is to classif= y it somewhat, somehow, as =E2=80=9Cbackground=E2=80=9D." But in fact, there is no simply way to classify bittorrent INGRESS traffic DSCP -> unreliable, easily spoofed by attacker, and the value is most likely 0x0 firewall mark -> cake do not use firewall mark/connmark Finally, I guess most likely home users will use bit torrent. 2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=888:04=EF=BC=8C"moeller= 0" =E5=AF=AB=E9=81=93=EF=BC=9A > Hi Ching? > > > On Oct 12, 2016, at 12:17 , ching lu wrote: > > > > > > 2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=886:05=EF=BC=8C"moe= ller0" =E5=AF=AB=E9=81=93=EF=BC=9A > > > > > > Hi Ching, > > > > > > > On Oct 12, 2016, at 11:35 , ching lu wrote: > > > > > > > > How to archive "cake follows iptables"? is it =E2=80=9Cwan ingress = -> > iptables > > > > > > Yes. > > > > > > > -> wifi egress/LAN egress -> ifb egress -> cake=E2=80=9D? > > > > > > Except that if you instantiate cake on the interface > connecting to the outers LAN/WLAN side (lets call this LAN for short), ca= ke > will reside on that interfaces egress and hence you require no ifb for > traffic coming in from the internet (as a plus cake will even without the > fancy new deNAT options see the full intrnal IP addresses, useful for dua= l > and triple isolation options). In the direction facing the internet you c= an > instantiate cake on an ifb interface for LAN and then put the iptables DS= CP > cleaner on the WAN egress side (and the WAN ingress side, unless you trus= t > your ISP to deliver reasonable DSCP values, which should be like never*) > > > > The bandwidth shaper won=E2=80=99t work correctly if cake(s) are regist= ered on > multiple LAN interface, ifb is necessary > > > > e.g. if ingress bandwidth limit is 100M, then setting 50M on wifi, and > 50M on LAN ? > > Yes that seems true, if you instantiate cake on br-lan (which I > believe would be the relevant interface) you will shape both wireless and > wired traffic, but most likely also internal traffic=E2=80=A6 But that ca= n be > solved by one more router/AP ;) > > > > > I think the diffserv support of cake model is not suitable for home > network currently. > > I have no real opinion on that, but could you explicitly state > what short coming you see that is a showstopper? DSCP cleaning on ingress > is BTW not really required to happen before cake, as long as cake is set = to > besteffort it will ignore DSCP markings anyway, and if you want to > re-map/re-classify packets vie DSCP on ingress you are pretty much out of > scope for a typical home network. Cleaning up on egress, as to not leak > internal configuration to the upstream seems indeed sub-optimal, but cake > is not alone in that regard=E2=80=A6 > > > The setup is much more complex > > Well, DSCP setup is complex no matter how you slice and dice it= =E2=80=A6 > but maybe you have an idea what a shaper (like cake) could/should do to > make this simpler? > > Best Regards > Sebastian > > > > > > > > > > > > > Best Regards > > > Sebastian > > > > > > 8) DSCP are only ever guranteed to be meaninful inside a dscp domain, > and in reality your home net is a different domain from the ISP=E2=80=99s= . It would > have been nice if the DSCP field would have been separeted into 2 3bit > fields, the first for the actual sender to request one of 8 differential > classes and the other 3bits for the current domain to store its actually > used DSCP bits. I claim the 3 bits should be enough for anybody ;) > > > > > > > > > > > > > > > > > > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 wrote: > > > >> Hi, > > > >> > > > >> > > > >>> On Oct 12, 2016, at 10:11 , ching lu wrote: > > > >>> > > > >>> For egress, setting DSCP field should work. > > > >>> > > > >>> iptables -> wan egress -> cake > > > >>> > > > >>> But is it possible to set DSCP to 0x0 after cake's classification= ? > i > > > >>> do not know how ISP handle non-zero DSCP, there seems to be no > > > >>> standard for this. > > > >> > > > >> Interestingly cake, at some point in the past offered > exactly that functionality, but it got removed due to added complexity wi= th > very little practical applicability (and a potential layering violation, > but one could equally argue that the current layering is partly > sub-optimal/wrong and hence violating it to better reflect reality might = be > acceptable). But current cake does not offer this. If you are willing to > daisy-chain two routers, you could run cake on the respective egress > interfaces connecting both routers, and do the DSCP cleaning on the outer > router=E2=80=99s egress interface toward the internet=E2=80=A6 > > > >> > > > >>> > > > >>> > > > >>> For ingress, DSCP field may not be set by network peer at all, an= d > i > > > >>> have multiple LAN interfaces > > > >>> > > > >>> AFAIK, the order is "wan ingress -> ifb egress -> cake -> iptable= s" > > > >>> > > > >>> The trick of setting DSCP by iptables do not work because cake > comes first > > > >> > > > >> Hence Jonathan=E2=80=99s recommendation to make sure that c= ake > follows iptables, by setting it up on egress interfaces only=E2=80=A6 > > > >> > > > >> Best Regards > > > >> Sebastian > > > >> > > > >>> > > > >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton < > chromatix99@gmail.com> wrote: > > > >>>> > > > >>>>> On 12 Oct, 2016, at 08:52, ching lu wrote= : > > > >>>>> > > > >>>>> I deprioritize bittorrent traffic by marking related connection= s > in > > > >>>>> iptables (e.g. detect by port number) and route them to > corresponding > > > >>>>> HTB class and qdisc. > > > >>>>> > > > >>>>> How can i archive the same goal using the cake qdisc? > > > >>>> > > > >>>> Modify your iptables rules to set the DSCP rather than a > kernel-internal mark. You probably want "-j DSCP =E2=80=94set-dscp-class= CS1=E2=80=9D, as > CS1 is the =E2=80=9Cbulk low priority=E2=80=9D code. Cake=E2=80=99s defa= ult Diffserv mode will > pick that up appropriately. > > > >>>> > > > >>>> You also need to make sure Cake sees your packets *after* they= =E2=80=99ve > been through the firewall, which generally means attaching it to the egre= ss > port in each direction, not the ingress port. You=E2=80=99ve probably al= ready done > this, if you=E2=80=99re happy with your HTB setup. > > > >>>> > > > >>>> If you have multiple LAN interfaces (eg, both Ethernet and wifi)= , > you should loop the inbound traffic through a common IFB device (and atta= ch > Cake to that instead of the physical interfaces) to simplify configuratio= n. > > > >>>> > > > >>>> - Jonathan Morton > > > >>>> > > > >>> _______________________________________________ > > > >>> Cake mailing list > > > >>> Cake@lists.bufferbloat.net > > > >>> https://lists.bufferbloat.net/listinfo/cake > > > >> > > > > > > > --001a11c0232ced2016053eaa4a2b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

There is no need for cleansing dscp for wan ingress, I think= it is unnecessary, too

In https://www.bufferbloat.net/projects/codel/wiki/Cake/

There is a statement:

"The only way we know how to =E2=80=9Cfix=E2=80=9D bitt= orrent is to classify it somewhat, somehow, as =E2=80=9Cbackground=E2=80=9D= ."

But in fact, there is no simply way to classify bittorrent I= NGRESS traffic

DSCP -> unreliable, easily spoofed by attacker, and the v= alue is most likely 0x0
firewall mark -> cake do not use firewall mark/connmark

Finally, I guess most likely home users will use bit torrent= .


2016=E5=B9=B410= =E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=888:04=EF=BC=8C"moeller0" &l= t;moeller0@gmx.de>=E5=AF=AB=E9=81= =93=EF=BC=9A
Hi Chin= g?

> On Oct 12, 2016, at 12:17 , ching lu <lsching17@gmail.com> wrote:
>
>
> 2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=886:05=EF=BC=8C&qu= ot;moeller0" <moeller0@gmx.de>=E5=AF=AB=E9=81=93=EF=BC=9A
> >
> > Hi Ching,
> >
> > > On Oct 12, 2016, at 11:35 , ching lu <lsching17@gmail.com> wrote:
> > >
> > > How to archive "cake follows iptables"? is it =E2= =80=9Cwan ingress -> iptables
> >
> > Yes.
> >
> > > -> wifi egress/LAN egress -> ifb egress -> cake=E2= =80=9D?
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Except that if you instantiate c= ake on the interface connecting to the outers LAN/WLAN side (lets call this= LAN for short), cake will reside on that interfaces egress and hence you r= equire no ifb for traffic coming in from the internet (as a plus cake will = even without the fancy new deNAT options see the full intrnal IP addresses,= useful for dual and triple isolation options). In the direction facing the= internet you can instantiate cake on an ifb interface for LAN and then put= the iptables DSCP cleaner on the WAN egress side (and the WAN ingress side= , unless you trust your ISP to deliver reasonable DSCP values, which should= be like never*)
>
> The bandwidth shaper won=E2=80=99t work correctly if cake(s) are regis= tered on multiple LAN interface, ifb is necessary
>
> e.g. if ingress bandwidth limit is 100M, then setting 50M on wifi, and= 50M on LAN ?

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Yes that seems true, if you instantiate cake on= br-lan (which I believe would be the relevant interface) you will shape bo= th wireless and wired traffic, but most likely also internal traffic=E2=80= =A6 But that can be solved by one more router/AP ;)

>
> I think the diffserv support of cake model is not suitable for home ne= twork currently.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 I have no real opinion on that, but could you e= xplicitly state what short coming you see that is a showstopper? DSCP clean= ing on ingress is BTW not really required to happen before cake, as long as= cake is set to besteffort it will ignore DSCP markings anyway, and if you = want to re-map/re-classify packets vie DSCP on ingress you are pretty much = out of scope for a typical home network. Cleaning up on egress, as to not l= eak internal configuration to the upstream seems indeed sub-optimal, but ca= ke is not alone in that regard=E2=80=A6

> The setup is much more complex

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Well, DSCP setup is complex no matter how you s= lice and dice it=E2=80=A6 but maybe you have an idea what a shaper (like ca= ke) could/should do to make this simpler?

Best Regards
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Sebastian

>
>
>
> >
> > Best Regards
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Sebastian
> >
> > 8) DSCP are only ever guranteed to be meaninful inside a dscp dom= ain, and in reality your home net is a different domain from the ISP=E2=80= =99s. It would have been nice if the DSCP field would have been separeted i= nto 2 3bit fields, the first for the actual sender to request one of 8 diff= erential classes and the other 3bits for the current domain to store its ac= tually used DSCP bits. I claim the 3 bits should be enough for anybody=C2= =A0 ;)
> >
> >
> > >
> > >
> > > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 <moeller0@gmx.de> wrote:
> > >> Hi,
> > >>
> > >>
> > >>> On Oct 12, 2016, at 10:11 , ching lu <lsching17@gmail.com> wrote:
> > >>>
> > >>> For egress, setting DSCP field should work.
> > >>>
> > >>> iptables -> wan egress -> cake
> > >>>
> > >>> But is it possible to set DSCP to 0x0 after cake'= ;s classification? i
> > >>> do not know how ISP handle non-zero DSCP, there seem= s to be no
> > >>> standard for this.
> > >>
> > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 Interestingly cake, at some p= oint in the past offered exactly that functionality, but it got removed due= to added complexity with very little practical applicability (and a potent= ial layering violation, but one could equally argue that the current layeri= ng is partly sub-optimal/wrong and hence violating it to better reflect rea= lity might be acceptable). But current cake does not offer this. If you are= willing to daisy-chain two routers, you could run cake on the respective e= gress interfaces connecting both routers, and do the DSCP cleaning on the o= uter router=E2=80=99s egress interface toward the internet=E2=80=A6
> > >>
> > >>>
> > >>>
> > >>> For ingress, DSCP field may not be set by network pe= er at all, and i
> > >>> have multiple LAN interfaces
> > >>>
> > >>> AFAIK, the order is "wan ingress -> ifb egre= ss -> cake -> iptables"
> > >>>
> > >>> The trick of setting DSCP by iptables do not work be= cause cake comes first
> > >>
> > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 Hence Jonathan=E2=80=99s reco= mmendation to make sure that cake follows iptables, by setting it up on egr= ess interfaces only=E2=80=A6
> > >>
> > >> Best Regards
> > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 Sebastian
> > >>
> > >>>
> > >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton <= ;chromatix99@gmail.com> wro= te:
> > >>>>
> > >>>>> On 12 Oct, 2016, at 08:52, ching lu <lsching17@gmail.com> wrote:
> > >>>>>
> > >>>>> I deprioritize bittorrent traffic by marking= related connections in
> > >>>>> iptables (e.g. detect by port number) and ro= ute them to corresponding
> > >>>>> HTB class and qdisc.
> > >>>>>
> > >>>>> How can i archive the same goal using the ca= ke qdisc?
> > >>>>
> > >>>> Modify your iptables rules to set the DSCP rathe= r than a kernel-internal mark.=C2=A0 You probably want "-j DSCP =E2=80= =94set-dscp-class CS1=E2=80=9D, as CS1 is the =E2=80=9Cbulk low priority=E2= =80=9D code.=C2=A0 Cake=E2=80=99s default Diffserv mode will pick that up a= ppropriately.
> > >>>>
> > >>>> You also need to make sure Cake sees your packet= s *after* they=E2=80=99ve been through the firewall, which generally means = attaching it to the egress port in each direction, not the ingress port.=C2= =A0 You=E2=80=99ve probably already done this, if you=E2=80=99re happy with= your HTB setup.
> > >>>>
> > >>>> If you have multiple LAN interfaces (eg, both Et= hernet and wifi), you should loop the inbound traffic through a common IFB = device (and attach Cake to that instead of the physical interfaces) to simp= lify configuration.
> > >>>>
> > >>>> - Jonathan Morton
> > >>>>
> > >>> _______________________________________________=
> > >>> Cake mailing list
> > >>> Cake@l= ists.bufferbloat.net
> > >>> https://lists.bufferbloat.net/listinfo/cake
> > >>
> >
>

--001a11c0232ced2016053eaa4a2b--