[Cake] Does the latest cake support "tc filter"?

[Cake] Does the latest cake support "tc filter"?

[Fushan Wen]

Hello developers,
I've seen the mail in the netdev mailing list, saying "other tc
filters supported". So can I use "tc filter" to attach specified
traffic to a specified tin without DSCP marks? It's helpful when
dealing with ingress traffic where iptables DSCP mark won't work.
Thanks in advance.

Re: [Cake] Does the latest cake support "tc filter"?

[Toke Høiland-Jørgensen]

Fushan Wen <qydwhotmail@gmail.com> writes:

> Hello developers,
> I've seen the mail in the netdev mailing list, saying "other tc
> filters supported". So can I use "tc filter" to attach specified
> traffic to a specified tin without DSCP marks? It's helpful when
> dealing with ingress traffic where iptables DSCP mark won't work.

Yes, the version submitted to upstream supports this. You can override
which tin packets goes in by setting skb->priority from a filter or
application (the major number needs to be set to the qdisc ID, and the
minor number becomes the tin to queue packets in).

However, these changes have not been backported, so they are not
available in the cobalt branch. You can pull them from the upstream-4.18
branch instead. That should build against a current net-next tree, and
possibly a bit older. Alternatively, you can pull the current patches
from patchwork and use those. Or wait for a backport after we're done
with the upstream submission :)

-Toke

Re: [Cake] Does the latest cake support "tc filter"?

[Georgios Amanakis]

> Yes, the version submitted to upstream supports this. You can override
> which tin packets goes in by setting skb->priority from a filter or
> application (the major number needs to be set to the qdisc ID, and the
> minor number becomes the tin to queue packets in).

Toke could you give an example how to do this?

I am trying to put all traffic into tin 0:
#tc qdisc add dev enp1s0 root handle 8001 cake diffserv3 bandwidth 2mbit
#tc filter add dev enp1s0 parent 8001: protocol all \
              u32 match u32 0 0 \
              action skbedit priority 8001:1

However as soon as the second command is executed all traffic drops,
and it only resumes once I remove the filter.

What am I doing wrong?

Thank you,
George

On Thu, May 17, 2018 at 6:42 AM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Fushan Wen <qydwhotmail@gmail.com> writes:
>
>> Hello developers,
>> I've seen the mail in the netdev mailing list, saying "other tc
>> filters supported". So can I use "tc filter" to attach specified
>> traffic to a specified tin without DSCP marks? It's helpful when
>> dealing with ingress traffic where iptables DSCP mark won't work.
>
> Yes, the version submitted to upstream supports this. You can override
> which tin packets goes in by setting skb->priority from a filter or
> application (the major number needs to be set to the qdisc ID, and the
> minor number becomes the tin to queue packets in).
>
> However, these changes have not been backported, so they are not
> available in the cobalt branch. You can pull them from the upstream-4.18
> branch instead. That should build against a current net-next tree, and
> possibly a bit older. Alternatively, you can pull the current patches
> from patchwork and use those. Or wait for a backport after we're done
> with the upstream submission :)
>
> -Toke
> _______________________________________________
> Cake mailing list
> Cake@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cake

Re: [Cake] Does the latest cake support "tc filter"?

[Toke Høiland-Jørgensen]

Georgios Amanakis <gamanakis@gmail.com> writes:

>> Yes, the version submitted to upstream supports this. You can override
>> which tin packets goes in by setting skb->priority from a filter or
>> application (the major number needs to be set to the qdisc ID, and the
>> minor number becomes the tin to queue packets in).
>
> Toke could you give an example how to do this?
>
> I am trying to put all traffic into tin 0:
> #tc qdisc add dev enp1s0 root handle 8001 cake diffserv3 bandwidth 2mbit
> #tc filter add dev enp1s0 parent 8001: protocol all \
>               u32 match u32 0 0 \
>               action skbedit priority 8001:1
>
> However as soon as the second command is executed all traffic drops,
> and it only resumes once I remove the filter.
>
> What am I doing wrong?

Hmm, nothing apart from using the classifiers in an unexpected (by me)
way ;)

Basically, what is happening is that the skbedit filter doesn't do
classification. In which case Cake will cheerfully drop the packet.

I just pushed a change to the upstream-4.18 branch which reworks the
filter classification so it'll still hash packets if the filter doesn't
make a decision, and also moves the tin selection to after the filter
has run, to give priority selection a chance to work (even if the
packets had not been dropped, you wouldn't have gotten the result you
wanted, since the skb->priority field was checked before the filters we
run...)

Please see if that works better :)

-Toke

[Cake] Fwd: Does the latest cake support "tc filter"?

[Georgios Amanakis]

---------- Forwarded message ----------
From: Georgios Amanakis <gamanakis@gmail.com>
Date: Wed, May 30, 2018 at 4:13 PM
Subject: Re: [Cake] Does the latest cake support "tc filter"?
To: Toke Høiland-Jørgensen <toke@toke.dk>


:) excellent work!
Now it works as expected!

Thanks again,
George

On Wed, May 30, 2018 at 3:58 PM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Georgios Amanakis <gamanakis@gmail.com> writes:
>
>>> Yes, the version submitted to upstream supports this. You can override
>>> which tin packets goes in by setting skb->priority from a filter or
>>> application (the major number needs to be set to the qdisc ID, and the
>>> minor number becomes the tin to queue packets in).
>>
>> Toke could you give an example how to do this?
>>
>> I am trying to put all traffic into tin 0:
>> #tc qdisc add dev enp1s0 root handle 8001 cake diffserv3 bandwidth 2mbit
>> #tc filter add dev enp1s0 parent 8001: protocol all \
>>               u32 match u32 0 0 \
>>               action skbedit priority 8001:1
>>
>> However as soon as the second command is executed all traffic drops,
>> and it only resumes once I remove the filter.
>>
>> What am I doing wrong?
>
> Hmm, nothing apart from using the classifiers in an unexpected (by me)
> way ;)
>
> Basically, what is happening is that the skbedit filter doesn't do
> classification. In which case Cake will cheerfully drop the packet.
>
> I just pushed a change to the upstream-4.18 branch which reworks the
> filter classification so it'll still hash packets if the filter doesn't
> make a decision, and also moves the tin selection to after the filter
> has run, to give priority selection a chance to work (even if the
> packets had not been dropped, you wouldn't have gotten the result you
> wanted, since the skb->priority field was checked before the filters we
> run...)
>
> Please see if that works better :)
>
> -Toke

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Dave Taht]

I am very interested in collecting use cases and howtos as to how to
use this feature.

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Toke Høiland-Jørgensen]

Dave Taht <dave.taht@gmail.com> writes:

> I am very interested in collecting use cases and howtos as to how to
> use this feature.

Well, with tc-bpf you can write a BPF program to do any processing you
like, and select diffserv tin and/or flow queue based on that... :)

-Toke

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Dave Taht]

On Wed, May 30, 2018 at 1:30 PM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Dave Taht <dave.taht@gmail.com> writes:
>
>> I am very interested in collecting use cases and howtos as to how to
>> use this feature.
>
> Well, with tc-bpf you can write a BPF program to do any processing you
> like, and select diffserv tin and/or flow queue based on that... :)

I guess "why", is also a good pre-requisite.

My own thought for bpf was that it could be used to more actively
identify "bad guys" as a front
end to cake, dropping packets and never hitting it - but then I
realized that that would muck with the inbound shaper mode, yet again.


> -Toke



-- 

Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Georgios Amanakis]

I don't have an explicit use case right now, but it gives somewhat
greater flexibility in classifying packets.

Particularly in the ingress mode with ifb (this would mostly apply to
an end-device, not so much to traffic being forwarded through a
router). We cannot set DSCP flags on incoming packets, since they just
arrived. However, we can use a filter on cake to assign them
explicitly to a tin.

We can do the following:
#tc qdisc add dev enp1s0 ingress handle ffff
#tc qdisc add dev ifb0 root handle 8002 cake bandwidth 11800kbit
diffserv3 ingress

#tc filter add dev ifb0 parent 8002: protocol ip \
        u32 match ip src 1.2.3.4/32 \
        action skbedit priority 8002:3

#tc filter add dev enp1s0 parent ffff: protocol all \
        u32 match u32 0 0 \
        action mirred egress redirect dev ifb0

George

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Toke Høiland-Jørgensen]

Georgios Amanakis <gamanakis@gmail.com> writes:

> I don't have an explicit use case right now, but it gives somewhat
> greater flexibility in classifying packets.
>
> Particularly in the ingress mode with ifb (this would mostly apply to
> an end-device, not so much to traffic being forwarded through a
> router). We cannot set DSCP flags on incoming packets, since they just
> arrived. However, we can use a filter on cake to assign them
> explicitly to a tin.

Yes, I think the main use case is for the people who for whatever reason
want to assign static diffserv priorities, and who can't use iptables to
do so on ingress.

-Toke

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Dave Taht]

I also worry that the new tc filter related code is going to cause
weirdness from other subsystems and deployments. Someone (for example)
sets iptables priorities or something else for some other reason to
make a set of iptables rules work (the skb-priority field is so
massively overloaded), and that messes up what cake wants.

this is why I elided tc filters entirely all those years ago.  I guess
the MAJ approach toke took is sufficient.

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Toke Høiland-Jørgensen]

Dave Taht <dave.taht@gmail.com> writes:

> I also worry that the new tc filter related code is going to cause
> weirdness from other subsystems and deployments. Someone (for example)
> sets iptables priorities or something else for some other reason to
> make a set of iptables rules work (the skb-priority field is so
> massively overloaded), and that messes up what cake wants.
>
> this is why I elided tc filters entirely all those years ago.  I guess
> the MAJ approach toke took is sufficient.

Yeah. Stole that from fq_codel, actually. That allows you to select a
queue using the priority field as well as with an explicit classifier
(with the same major number check). So guess that is relatively safe :)

-Toke

Re: [Cake] Fwd: Does the latest cake support "tc filter"?

[Toke Høiland-Jørgensen]

Dave Taht <dave.taht@gmail.com> writes:

> On Wed, May 30, 2018 at 1:30 PM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
>> Dave Taht <dave.taht@gmail.com> writes:
>>
>>> I am very interested in collecting use cases and howtos as to how to
>>> use this feature.
>>
>> Well, with tc-bpf you can write a BPF program to do any processing you
>> like, and select diffserv tin and/or flow queue based on that... :)
>
> I guess "why", is also a good pre-requisite.

'Why not' is surely a better one ;)

Off the top of my head, putting things into queues based on some other
parameter than what cake knows. For instance, an ISP could create a BPF
map with the IP addresses of their customers and use that to give each
their own queue. Or, longer term, we could extend Cake to have a
configurable number of *tins*, and the same mechanism could be used to
give each customer a whole set of queues, in a single instance

> My own thought for bpf was that it could be used to more actively
> identify "bad guys" as a front
> end to cake, dropping packets and never hitting it - but then I
> realized that that would muck with the inbound shaper mode, yet again.

If you want to drop packets really fast (DDOS protection, for instance),
you'd want to do it in the ethernet driver using XDP. That can
cheerfully throw away packets at 40 Gbps line rates with minimum-sized
floods. If you're trying to protect yourself against a DDOS, an inbound
shaper is presumably not going to help you anyway, since DDOS attacks
generally don't use congestion control...

-Toke

Re: [Cake] Does the latest cake support "tc filter"?

[Toke Høiland-Jørgensen]

Georgios Amanakis <gamanakis@gmail.com> writes:

> :) excellent work!
> Now it works as expected!

Great! Thanks for testing :)

-Toke