From: Ryan Mounce <ryan@mounce.com.au>
To: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Cc: Cake List <cake@lists.bufferbloat.net>
Subject: Re: [Cake] act_conndscp
Date: Wed, 20 Mar 2019 14:01:26 +1030 [thread overview]
Message-ID: <CAN+fvRZkEHo4wq26ekaDmkQjygk1v7sPE+WCL73CkEQMYHrgPg@mail.gmail.com> (raw)
In-Reply-To: <AC87FD9C-70DE-4BB1-9827-AB2D5CB94FBB@darbyshire-bryant.me.uk>
[-- Attachment #1: Type: text/plain, Size: 1102 bytes --]
On Wed, 20 Mar 2019 at 07:57, Kevin Darbyshire-Bryant
<kevin@darbyshire-bryant.me.uk> wrote:
>
>
>
> > On 19 Mar 2019, at 21:24, Ryan Mounce <ryan@mounce.com.au> wrote:
> >
> > Hi Kevin,
> >
> > I've finally applied your patches, compiled, and flashed on my router.
> > Could you share your tc filter action for conndscp to get me started?
>
> Ahh! Ooops yes knew I forgot something - here’s my hacked up sqm-scripts/my_layer_cake.qos
Okay... I've just spent far longer than I'd like to admit relearning
the basics of tc filter in order to minify my scripts, but everything
is working now. See attached for my usage. I'm back to using the
Turris Omnia which has more than enough grunt to handle my 100/40
link, so I haven't put much thought into optimisation.
The only gotcha I ran into with your patch is the explanation
> MODE get (typically ingress) set (typically egress)
This is backwards, but it's confusing anyway. 'get' also sets bits in
the connmark while 'set' also gets bits from the connmark.
I'd suggest changing 'get' to 'save', and 'set' to 'restore'.
[-- Attachment #2: ryans-cake.txt --]
[-- Type: text/plain, Size: 2175 bytes --]
# /etc/rc.local
# EGRESS
tc qdisc del dev eth2 root
tc qdisc replace dev eth2 root handle 1111: cake \
dual-srchost nat fwmark 0x03 wash ack-filter oceanic mpu 64 overhead 26 bandwidth 40Mbit
tc -s qdisc show dev eth2
tc filter del dev eth2 parent 1111:
tc filter replace dev eth2 parent 1111: matchall action \
conndscp mask 0xfc000000 statemask 0x01000000 mode get
tc -s filter show dev eth2 parent 1111:
# INGRESS
ip link add name ibe2 type ifb
ip link set dev ibe2 up
tc qdisc del dev ibe2 root
tc qdisc replace dev ibe2 root cake \
ingress dual-dsthost nat fwmark 0x03 ack-filter oceanic mpu 64 overhead 26 bandwidth 99Mbit
tc -s qdisc show dev ibe2
tc qdisc del dev eth2 ingress
tc qdisc replace dev eth2 ingress handle ffff:
tc filter del dev eth2 parent ffff:
tc filter replace dev eth2 parent ffff: matchall action \
connmark \
conndscp mask 0xfc000000 statemask 0x01000000 mode set \
mirred egress redirect dev ibe2
tc -s filter show dev eth2 parent ffff:
# /etc/firewall.user
iptables -t mangle -N mangle_forward_eth2
ip6tables -t mangle -N mangle_forward_eth2
iptables -t mangle -A mangle_forward_eth2 -j CONNMARK --restore-mark --ctmask 0x03
ip6tables -t mangle -A mangle_forward_eth2 -j CONNMARK --restore-mark --ctmask 0x03
iptables -t mangle -A mangle_forward_eth2 -m mark ! --mark 0 -j RETURN
ip6tables -t mangle -A mangle_forward_eth2 -m mark ! --mark 0 -j RETURN
# Put all traffic to/from this host in cake's bulk tin
iptables -t mangle -A mangle_forward_eth2 -m mac --mac-source 01:23:45:67:89:ab -j MARK --set-mark 1
ip6tables -t mangle -A mangle_forward_eth2 -m mac --mac-source 01:23:45:67:89:ab -j MARK --set-mark 1
iptables -t mangle -A mangle_forward_eth2 -m mark --mark 0 -j RETURN
ip6tables -t mangle -A mangle_forward_eth2 -m mark --mark 0 -j RETURN
iptables -t mangle -A mangle_forward_eth2 -j CONNMARK --save-mark --ctmask 0x03 --nfmask 0x03
ip6tables -t mangle -A mangle_forward_eth2 -j CONNMARK --save-mark --ctmask 0x03 --nfmask 0x03
iptables -t mangle -A FORWARD -o eth2 -j mangle_forward_eth2
ip6tables -t mangle -A FORWARD -o eth2 -j mangle_forward_eth2
next prev parent reply other threads:[~2019-03-20 3:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-19 20:08 Kevin Darbyshire-Bryant
2019-03-19 21:24 ` Ryan Mounce
2019-03-19 21:27 ` Kevin Darbyshire-Bryant
2019-03-19 21:41 ` Toke Høiland-Jørgensen
2019-03-19 21:51 ` Kevin Darbyshire-Bryant
2019-03-19 21:59 ` Toke Høiland-Jørgensen
2019-03-20 3:31 ` Ryan Mounce [this message]
2019-03-20 8:25 ` Kevin Darbyshire-Bryant
2019-03-20 8:38 ` Sebastian Moeller
2019-03-20 9:01 ` Kevin Darbyshire-Bryant
2019-03-20 9:54 ` Sebastian Moeller
2019-03-20 10:15 ` Kevin Darbyshire-Bryant
2019-03-22 21:24 ` Kevin Darbyshire-Bryant
2019-03-23 18:35 ` Kevin Darbyshire-Bryant
2019-04-01 14:07 ` Kevin Darbyshire-Bryant
2019-04-01 23:52 ` Ryan Mounce
2019-03-20 9:06 ` Kevin Darbyshire-Bryant
2019-03-20 9:24 ` Kevin Darbyshire-Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAN+fvRZkEHo4wq26ekaDmkQjygk1v7sPE+WCL73CkEQMYHrgPg@mail.gmail.com \
--to=ryan@mounce.com.au \
--cc=cake@lists.bufferbloat.net \
--cc=kevin@darbyshire-bryant.me.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox