From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 974693B25E for ; Wed, 12 Oct 2016 06:17:05 -0400 (EDT) Received: by mail-oi0-x229.google.com with SMTP id m72so55505802oik.3 for ; Wed, 12 Oct 2016 03:17:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mBceoFjLpghYxIt804k/IvSnOLUtFxsnXRUxbrI/zqA=; b=qc8hJ+ra2rTC7A+aackr/1ljn7Ji2H+dsTUApDDicjHExahmm1bPcpodYo08N3jWxe MA77leU7Xu1Tb/mm2eczPQDqFeOMV5lSqU/G6n+GWs4SSSRWMfCxiBu1vvscyi5tI48x h7qsR7P8p7qbKJYM5+A/IyzvaGsXRIICvEDMfMp6BhCu8dGgz7UF+EthNm415UUexnUY WhI+maMfNAiwn9wmQrB0r2oNc3T3pVZYTRxjpyRC9HZbdcYS7ZmKUmY1M9ukJps8SXuQ 9shOooPt/27M3IhrWj0mJYF4wcCnq6zuhRl9lO/W0cB+7CdSLIrEDkdTQzaWXUu7GXEa sNlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mBceoFjLpghYxIt804k/IvSnOLUtFxsnXRUxbrI/zqA=; b=Eioa1WYkOTDJ9tJCPfsCTNe+VXdKatI30VZgv2MRnzft7JyWKHilg+Bv5WxOOy5Mv8 WylYCRhWZK2ByHXZuYOHJdPX/iM2wMcTKh4PYvRDBi1Vpq6h4R0CTLbp5thw3KIsPD2v Yu/d7R97XFWF3Hre9iUqFvSMl3Mb9Tb97Zvuoh8TROso6TqA8C/AGRy4w/ZesHoQ8vv/ QUhQprX2llD7HhHiGyTVqcAsHklau+N6TB2/fDLvrwM3UQCQthSCpPDnqqQSnQtj3Gsg eGPvVegXAmP0VULXvdqQjrk9dKavMWHAY4ccrBVVFZQjtzWipB601p8XgVmE/soRHDc3 oWJQ== X-Gm-Message-State: AA6/9RlN4E+fwt6uVjjhcIhfAsD9OunZK9u6vfJ0DrCTtNbrTPpo/BdLLrWCqc3BeITAwyTIlRf3Ww2yvCP20A== X-Received: by 10.202.244.204 with SMTP id s195mr193698oih.15.1476267425006; Wed, 12 Oct 2016 03:17:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.49.136 with HTTP; Wed, 12 Oct 2016 03:17:04 -0700 (PDT) Received: by 10.202.49.136 with HTTP; Wed, 12 Oct 2016 03:17:04 -0700 (PDT) In-Reply-To: References: <4D2419FB-6649-4250-9D42-E6EDECFFCCDE@gmail.com> <95CB6153-524D-499A-8E85-231C5098A4DB@gmx.de> From: ching lu Date: Wed, 12 Oct 2016 18:17:04 +0800 Message-ID: To: moeller0 Cc: cake@lists.bufferbloat.net, Jonathan Morton Content-Type: multipart/alternative; boundary=001a113e9a287608ad053ea84bd2 Subject: Re: [Cake] diffserv based on firewall mark X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 10:17:05 -0000 --001a113e9a287608ad053ea84bd2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable 2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=886:05=EF=BC=8C"moeller= 0" =E5=AF=AB=E9=81=93=EF=BC=9A > > Hi Ching, > > > On Oct 12, 2016, at 11:35 , ching lu wrote: > > > > How to archive "cake follows iptables"? is it =E2=80=9Cwan ingress -> i= ptables > > Yes. > > > -> wifi egress/LAN egress -> ifb egress -> cake=E2=80=9D? > > Except that if you instantiate cake on the interface connecting to the outers LAN/WLAN side (lets call this LAN for short), cake will reside on that interfaces egress and hence you require no ifb for traffic coming in from the internet (as a plus cake will even without the fancy new deNAT options see the full intrnal IP addresses, useful for dual and triple isolation options). In the direction facing the internet you can instantiate cake on an ifb interface for LAN and then put the iptables DSCP cleaner on the WAN egress side (and the WAN ingress side, unless you trust your ISP to deliver reasonable DSCP values, which should be like never*) The bandwidth shaper won't work correctly if cake(s) are registered on multiple LAN interface, ifb is necessary e.g. if ingress bandwidth limit is 100M, then setting 50M on wifi, and 50M on LAN ? I think the diffserv support of cake model is not suitable for home network currently. The setup is much more complex > > Best Regards > Sebastian > > 8) DSCP are only ever guranteed to be meaninful inside a dscp domain, and in reality your home net is a different domain from the ISP=E2=80=99s. It w= ould have been nice if the DSCP field would have been separeted into 2 3bit fields, the first for the actual sender to request one of 8 differential classes and the other 3bits for the current domain to store its actually used DSCP bits. I claim the 3 bits should be enough for anybody ;) > > > > > > > > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 wrote: > >> Hi, > >> > >> > >>> On Oct 12, 2016, at 10:11 , ching lu wrote: > >>> > >>> For egress, setting DSCP field should work. > >>> > >>> iptables -> wan egress -> cake > >>> > >>> But is it possible to set DSCP to 0x0 after cake's classification? i > >>> do not know how ISP handle non-zero DSCP, there seems to be no > >>> standard for this. > >> > >> Interestingly cake, at some point in the past offered exactly that functionality, but it got removed due to added complexity with very little practical applicability (and a potential layering violation, but one could equally argue that the current layering is partly sub-optimal/wrong and hence violating it to better reflect reality might be acceptable). But current cake does not offer this. If you are willing to daisy-chain two routers, you could run cake on the respective egress interfaces connecting both routers, and do the DSCP cleaning on the outer router=E2=80=99s egress interface toward the internet=E2=80=A6 > >> > >>> > >>> > >>> For ingress, DSCP field may not be set by network peer at all, and i > >>> have multiple LAN interfaces > >>> > >>> AFAIK, the order is "wan ingress -> ifb egress -> cake -> iptables" > >>> > >>> The trick of setting DSCP by iptables do not work because cake comes first > >> > >> Hence Jonathan=E2=80=99s recommendation to make sure that cake = follows iptables, by setting it up on egress interfaces only=E2=80=A6 > >> > >> Best Regards > >> Sebastian > >> > >>> > >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton < chromatix99@gmail.com> wrote: > >>>> > >>>>> On 12 Oct, 2016, at 08:52, ching lu wrote: > >>>>> > >>>>> I deprioritize bittorrent traffic by marking related connections in > >>>>> iptables (e.g. detect by port number) and route them to corresponding > >>>>> HTB class and qdisc. > >>>>> > >>>>> How can i archive the same goal using the cake qdisc? > >>>> > >>>> Modify your iptables rules to set the DSCP rather than a kernel-internal mark. You probably want "-j DSCP =E2=80=94set-dscp-class C= S1=E2=80=9D, as CS1 is the =E2=80=9Cbulk low priority=E2=80=9D code. Cake=E2=80=99s defaul= t Diffserv mode will pick that up appropriately. > >>>> > >>>> You also need to make sure Cake sees your packets *after* they=E2=80= =99ve been through the firewall, which generally means attaching it to the egress port in each direction, not the ingress port. You=E2=80=99ve probably alre= ady done this, if you=E2=80=99re happy with your HTB setup. > >>>> > >>>> If you have multiple LAN interfaces (eg, both Ethernet and wifi), you should loop the inbound traffic through a common IFB device (and attach Cake to that instead of the physical interfaces) to simplify configuration. > >>>> > >>>> - Jonathan Morton > >>>> > >>> _______________________________________________ > >>> Cake mailing list > >>> Cake@lists.bufferbloat.net > >>> https://lists.bufferbloat.net/listinfo/cake > >> > --001a113e9a287608ad053ea84bd2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

2016=E5=B9=B410=E6=9C=8812=E6=97=A5 =E4=B8=8B=E5=8D=886:05= =EF=BC=8C"moeller0" <moelle= r0@gmx.de>=E5=AF=AB=E9=81=93=EF=BC=9A
>
> Hi Ching,
>
> > On Oct 12, 2016, at 11:35 , ching lu <lsching17@gmail.com> wrote:
> >
> > How to archive "cake follows iptables"? is it =E2=80=9C= wan ingress -> iptables
>
> Yes.
>
> > -> wifi egress/LAN egress -> ifb egress -> cake=E2=80=9D= ?
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Except that if you instantiate cake on the= interface connecting to the outers LAN/WLAN side (lets call this LAN for s= hort), cake will reside on that interfaces egress and hence you require no = ifb for traffic coming in from the internet (as a plus cake will even witho= ut the fancy new deNAT options see the full intrnal IP addresses, useful fo= r dual and triple isolation options). In the direction facing the internet = you can instantiate cake on an ifb interface for LAN and then put the iptab= les DSCP cleaner on the WAN egress side (and the WAN ingress side, unless y= ou trust your ISP to deliver reasonable DSCP values, which should be like n= ever*)

The bandwidth shaper won't work correctly if cake(s) are= registered on multiple LAN interface, ifb is necessary

e.g. if ingress bandwidth limit is 100M, then setting 50M on= wifi, and 50M on LAN ?

I think the diffserv support of cake model is not suitable f= or home network currently. The setup is much more complex


>
> Best Regards
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Sebastian
>
> 8) DSCP are only ever guranteed to be meaninful inside a dscp domain, = and in reality your home net is a different domain from the ISP=E2=80=99s. = It would have been nice if the DSCP field would have been separeted into 2 = 3bit fields, the first for the actual sender to request one of 8 differenti= al classes and the other 3bits for the current domain to store its actually= used DSCP bits. I claim the 3 bits should be enough for anybody=C2=A0 ;) >
>
> >
> >
> > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 <moeller0@gmx.de> wrote:
> >> Hi,
> >>
> >>
> >>> On Oct 12, 2016, at 10:11 , ching lu <lsching17@gmail.com> wrote:
> >>>
> >>> For egress, setting DSCP field should work.
> >>>
> >>> iptables -> wan egress -> cake
> >>>
> >>> But is it possible to set DSCP to 0x0 after cake's cl= assification? i
> >>> do not know how ISP handle non-zero DSCP, there seems to = be no
> >>> standard for this.
> >>
> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 Interestingly cake, at some point = in the past offered exactly that functionality, but it got removed due to a= dded complexity with very little practical applicability (and a potential l= ayering violation, but one could equally argue that the current layering is= partly sub-optimal/wrong and hence violating it to better reflect reality = might be acceptable). But current cake does not offer this. If you are will= ing to daisy-chain two routers, you could run cake on the respective egress= interfaces connecting both routers, and do the DSCP cleaning on the outer = router=E2=80=99s egress interface toward the internet=E2=80=A6
> >>
> >>>
> >>>
> >>> For ingress, DSCP field may not be set by network peer at= all, and i
> >>> have multiple LAN interfaces
> >>>
> >>> AFAIK, the order is "wan ingress -> ifb egress -&= gt; cake -> iptables"
> >>>
> >>> The trick of setting DSCP by iptables do not work because= cake comes first
> >>
> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 Hence Jonathan=E2=80=99s recommend= ation to make sure that cake follows iptables, by setting it up on egress i= nterfaces only=E2=80=A6
> >>
> >> Best Regards
> >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 Sebastian
> >>
> >>>
> >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton <chromatix99@gmail.com> wrote: > >>>>
> >>>>> On 12 Oct, 2016, at 08:52, ching lu <lsching17@gmail.com> wrote:
> >>>>>
> >>>>> I deprioritize bittorrent traffic by marking rela= ted connections in
> >>>>> iptables (e.g. detect by port number) and route t= hem to corresponding
> >>>>> HTB class and qdisc.
> >>>>>
> >>>>> How can i archive the same goal using the cake qd= isc?
> >>>>
> >>>> Modify your iptables rules to set the DSCP rather tha= n a kernel-internal mark.=C2=A0 You probably want "-j DSCP =E2=80=94se= t-dscp-class CS1=E2=80=9D, as CS1 is the =E2=80=9Cbulk low priority=E2=80= =9D code.=C2=A0 Cake=E2=80=99s default Diffserv mode will pick that up appr= opriately.
> >>>>
> >>>> You also need to make sure Cake sees your packets *af= ter* they=E2=80=99ve been through the firewall, which generally means attac= hing it to the egress port in each direction, not the ingress port.=C2=A0 Y= ou=E2=80=99ve probably already done this, if you=E2=80=99re happy with your= HTB setup.
> >>>>
> >>>> If you have multiple LAN interfaces (eg, both Etherne= t and wifi), you should loop the inbound traffic through a common IFB devic= e (and attach Cake to that instead of the physical interfaces) to simplify = configuration.
> >>>>
> >>>> - Jonathan Morton
> >>>>
> >>> _______________________________________________
> >>> Cake mailing list
> >>> Cake@lists.= bufferbloat.net
> >>> h= ttps://lists.bufferbloat.net/listinfo/cake
> >>
>

--001a113e9a287608ad053ea84bd2--