[Cake] conntrack lookup continuation

[Cake] conntrack lookup continuation

[Felix Resch]

Hoi! 

(longtime lurker here)

Since we now already do the conntrack-lookup for the nat keyword, would it be 
expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin?

E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake.

cheers
felix

Re: [Cake] conntrack lookup continuation

[Jonathan Morton]

> On 31 Jan, 2017, at 16:49, Felix Resch <fuller@beif.de> wrote:
> 
> Since we now already do the conntrack-lookup for the nat keyword, would it be 
> expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin?
> 
> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake.

That’s an interesting idea.  At this point I don’t know how easy it is to implement, though.

Certainly we need to clean up some other things first.

 - Jonathan Morton

Re: [Cake] conntrack lookup continuation

[John Sager]

I would support this. It would allow cake to behave pretty much as I have
HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my
border router/firewall. I fwmark egress traffic based on various criteria
using ip[6]tables & transfer the marks to conntrack where they are recovered
on ingress to classify inbound responses to outbound requests.

It would also classify inbound traffic better if cake could use fwmarks in
that way as diffserv is currently pretty much useless for that purpose with
most ISPs.

John

On 31/01/17 21:14, chromatix99 at gmail.com (Jonathan Morton) wrote:
>> On 31 Jan, 2017, at 16:49, Felix Resch <fuller at beif.de> wrote:
>>
>> Since we now already do the conntrack-lookup for the nat keyword, would it be 
>> expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin?
>>
>> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake.
> 
> That's an interesting idea.  At this point I don't know how easy it is to implement, though.
> 
> Certainly we need to clean up some other things first.
> 
>  - Jonathan Morton
> 
> 

Re: [Cake] conntrack lookup continuation

[Dave Taht]

On Fri, Feb 3, 2017 at 8:42 AM, John Sager <john@sager.me.uk> wrote:
> I would support this. It would allow cake to behave pretty much as I have
> HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my
> border router/firewall. I fwmark egress traffic based on various criteria
> using ip[6]tables & transfer the marks to conntrack where they are recovered
> on ingress to classify inbound responses to outbound requests.

I'm not huge on using fwmarks. Is this because you cannot re-mark
w/dscp consistently via conntrack?

>
> It would also classify inbound traffic better if cake could use fwmarks in
> that way as diffserv is currently pretty much useless for that purpose with
> most ISPs.

My understanding of this is that cake runs before iptables does on
inbound. (?) so fw marks won't help here. But it's probable I'm wrong.

> John
>
> On 31/01/17 21:14, chromatix99 at gmail.com (Jonathan Morton) wrote:
>>> On 31 Jan, 2017, at 16:49, Felix Resch <fuller at beif.de> wrote:
>>>
>>> Since we now already do the conntrack-lookup for the nat keyword, would it be
>>> expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin?
>>>
>>> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake.
>>
>> That's an interesting idea.  At this point I don't know how easy it is to implement, though.
>>
>> Certainly we need to clean up some other things first.
>>
>>  - Jonathan Morton
>>
>>
> _______________________________________________
> Cake mailing list
> Cake@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cake



-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org

Re: [Cake] conntrack lookup continuation

[John Sager]

On 03/02/17 17:08, Dave Taht wrote:
> On Fri, Feb 3, 2017 at 8:42 AM, John Sager <john@sager.me.uk> wrote:
>> I would support this. It would allow cake to behave pretty much as I have
>> HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my
>> border router/firewall. I fwmark egress traffic based on various criteria
>> using ip[6]tables & transfer the marks to conntrack where they are recovered
>> on ingress to classify inbound responses to outbound requests.
> 
> I'm not huge on using fwmarks. Is this because you cannot re-mark
> w/dscp consistently via conntrack?
> 

I've got 6 categories of traffic, which map onto 6 fwmarks which are used by
the HTB filters. I could easily use iptables to map those onto dscp marks
for cake to use on egress, but I still need the fwmarks (transferred to
conntrack) to classify ingress traffic, as it's unlikely that I would see
useful dscp marks from my ISP.

>>
>> It would also classify inbound traffic better if cake could use fwmarks in
>> that way as diffserv is currently pretty much useless for that purpose with
>> most ISPs.
> 
> My understanding of this is that cake runs before iptables does on
> inbound. (?) so fw marks won't help here. But it's probable I'm wrong.

That's partly true. All the QoS stuff on the ingress side - both ppp0 (in my
case) and ifb0 - happens before it ever hits a netfilter hook. However my
ingress filter uses 'action connmark' to copy the conntrack mark to the
packet fwmark before redirecting to ifb0 so that the HTB filters can operate
on that.

As cake uses diffserv to classify, it would be good to carry dscp in the
conntrack & transfer it to incoming packets with an 'action' on the ingress
filter, but carrying dscp specifically in the conntrack record would be
quite a significant change to other parts of linux. Hence the use of fwmark
and the conntrack mark field, which already exist.

John

Re: [Cake] conntrack lookup continuation

[Jonathan Morton]

> On 3 Feb, 2017, at 21:01, John Sager <john@sager.me.uk> wrote:
> 
> As cake uses diffserv to classify, it would be good to carry dscp in the
> conntrack & transfer it to incoming packets with an 'action' on the ingress
> filter, but carrying dscp specifically in the conntrack record would be
> quite a significant change to other parts of linux. Hence the use of fwmark
> and the conntrack mark field, which already exist.

Yes, this is what I thought you meant.

As fwmark just sets “a number” on the conntrack record, there’s no reason in principle not to have that number be a DSCP (or some reasonably transformed representation of one).  The trick is then for cake to extract that number from the conntrack record (having looked it up), and if it looks valid, to use it as the packet’s DSCP instead of the one on the packet itself.

In principle, that should not be difficult.  For the moment however, I’ve got my hands full with writing a report on performance tests I’ve been running, and then getting reacquainted with some code changes that happened while I was looking elsewhere.

 - Jonathan Morton

Re: [Cake] conntrack lookup continuation

[John Sager]

No problem. The distro I use for my firewall (LEAF-bering) doesn't support
cake yet, though I could build the module & cake-aware tc with its
toolchain, so I'll continue with HTB+fq_codel & keep an eye on this list.

John

On 03/02/17 19:30, Jonathan Morton wrote:
> 
>> On 3 Feb, 2017, at 21:01, John Sager <john@sager.me.uk> wrote:
>>
>> As cake uses diffserv to classify, it would be good to carry dscp in the
>> conntrack & transfer it to incoming packets with an 'action' on the ingress
>> filter, but carrying dscp specifically in the conntrack record would be
>> quite a significant change to other parts of linux. Hence the use of fwmark
>> and the conntrack mark field, which already exist.
> 
> Yes, this is what I thought you meant.
> 
> As fwmark just sets “a number” on the conntrack record, there’s no reason in principle not to have that number be a DSCP (or some reasonably transformed representation of one).  The trick is then for cake to extract that number from the conntrack record (having looked it up), and if it looks valid, to use it as the packet’s DSCP instead of the one on the packet itself.
> 
> In principle, that should not be difficult.  For the moment however, I’ve got my hands full with writing a report on performance tests I’ve been running, and then getting reacquainted with some code changes that happened while I was looking elsewhere.
> 
>  - Jonathan Morton
> 

Re: [Cake] conntrack lookup continuation

[Konstantin Shalygin]

On 02/04/2017 02:01 AM, John Sager wrote:

> I've got 6 categories of traffic, which map onto 6 fwmarks which are used by
> the HTB filters. I could easily use iptables to map those onto dscp marks
> for cake to use on egress, but I still need the fwmarks (transferred to
> conntrack) to classify ingress traffic, as it's unlikely that I would see
> useful dscp marks from my ISP.

Maybe you try IMQ? http://www.linuximq.net/

Re: [Cake] conntrack lookup continuation

[John Sager]

I do use ifb, which does the same job as imq and it is in the mainline kernel.

On 04/02/17 05:51, Konstantin Shalygin wrote:
> On 02/04/2017 02:01 AM, John Sager wrote:
> 
>> I've got 6 categories of traffic, which map onto 6 fwmarks which are used by
>> the HTB filters. I could easily use iptables to map those onto dscp marks
>> for cake to use on egress, but I still need the fwmarks (transferred to
>> conntrack) to classify ingress traffic, as it's unlikely that I would see
>> useful dscp marks from my ISP.
> 
> Maybe you try IMQ? http://www.linuximq.net/
> _______________________________________________
> Cake mailing list
> Cake@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cake