* [Cake] conntrack lookup continuation @ 2017-01-31 14:49 Felix Resch 2017-01-31 21:14 ` Jonathan Morton 0 siblings, 1 reply; 9+ messages in thread From: Felix Resch @ 2017-01-31 14:49 UTC (permalink / raw) To: cake Hoi! (longtime lurker here) Since we now already do the conntrack-lookup for the nat keyword, would it be expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin? E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake. cheers felix ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-01-31 14:49 [Cake] conntrack lookup continuation Felix Resch @ 2017-01-31 21:14 ` Jonathan Morton 2017-02-03 16:42 ` John Sager 0 siblings, 1 reply; 9+ messages in thread From: Jonathan Morton @ 2017-01-31 21:14 UTC (permalink / raw) To: Felix Resch; +Cc: cake > On 31 Jan, 2017, at 16:49, Felix Resch <fuller@beif.de> wrote: > > Since we now already do the conntrack-lookup for the nat keyword, would it be > expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin? > > E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake. That’s an interesting idea. At this point I don’t know how easy it is to implement, though. Certainly we need to clean up some other things first. - Jonathan Morton ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-01-31 21:14 ` Jonathan Morton @ 2017-02-03 16:42 ` John Sager 2017-02-03 17:08 ` Dave Taht 0 siblings, 1 reply; 9+ messages in thread From: John Sager @ 2017-02-03 16:42 UTC (permalink / raw) To: Cake List I would support this. It would allow cake to behave pretty much as I have HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my border router/firewall. I fwmark egress traffic based on various criteria using ip[6]tables & transfer the marks to conntrack where they are recovered on ingress to classify inbound responses to outbound requests. It would also classify inbound traffic better if cake could use fwmarks in that way as diffserv is currently pretty much useless for that purpose with most ISPs. John On 31/01/17 21:14, chromatix99 at gmail.com (Jonathan Morton) wrote: >> On 31 Jan, 2017, at 16:49, Felix Resch <fuller at beif.de> wrote: >> >> Since we now already do the conntrack-lookup for the nat keyword, would it be >> expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin? >> >> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake. > > That's an interesting idea. At this point I don't know how easy it is to implement, though. > > Certainly we need to clean up some other things first. > > - Jonathan Morton > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-02-03 16:42 ` John Sager @ 2017-02-03 17:08 ` Dave Taht 2017-02-03 19:01 ` John Sager 0 siblings, 1 reply; 9+ messages in thread From: Dave Taht @ 2017-02-03 17:08 UTC (permalink / raw) To: John Sager; +Cc: Cake List On Fri, Feb 3, 2017 at 8:42 AM, John Sager <john@sager.me.uk> wrote: > I would support this. It would allow cake to behave pretty much as I have > HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my > border router/firewall. I fwmark egress traffic based on various criteria > using ip[6]tables & transfer the marks to conntrack where they are recovered > on ingress to classify inbound responses to outbound requests. I'm not huge on using fwmarks. Is this because you cannot re-mark w/dscp consistently via conntrack? > > It would also classify inbound traffic better if cake could use fwmarks in > that way as diffserv is currently pretty much useless for that purpose with > most ISPs. My understanding of this is that cake runs before iptables does on inbound. (?) so fw marks won't help here. But it's probable I'm wrong. > John > > On 31/01/17 21:14, chromatix99 at gmail.com (Jonathan Morton) wrote: >>> On 31 Jan, 2017, at 16:49, Felix Resch <fuller at beif.de> wrote: >>> >>> Since we now already do the conntrack-lookup for the nat keyword, would it be >>> expensive to implement a kind of internal conntrack-mark-and-restore by cake-tin? >>> >>> E.g. when traffic leaves throu canke tin#x, the conntrack entry will get a fwmark and return traffic is put in the corresponding tin/bin on the ingress cake. >> >> That's an interesting idea. At this point I don't know how easy it is to implement, though. >> >> Certainly we need to clean up some other things first. >> >> - Jonathan Morton >> >> > _______________________________________________ > Cake mailing list > Cake@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cake -- Dave Täht Let's go make home routers and wifi faster! With better software! http://blog.cerowrt.org ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-02-03 17:08 ` Dave Taht @ 2017-02-03 19:01 ` John Sager 2017-02-03 19:30 ` Jonathan Morton 2017-02-04 5:51 ` Konstantin Shalygin 0 siblings, 2 replies; 9+ messages in thread From: John Sager @ 2017-02-03 19:01 UTC (permalink / raw) To: Cake List On 03/02/17 17:08, Dave Taht wrote: > On Fri, Feb 3, 2017 at 8:42 AM, John Sager <john@sager.me.uk> wrote: >> I would support this. It would allow cake to behave pretty much as I have >> HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my >> border router/firewall. I fwmark egress traffic based on various criteria >> using ip[6]tables & transfer the marks to conntrack where they are recovered >> on ingress to classify inbound responses to outbound requests. > > I'm not huge on using fwmarks. Is this because you cannot re-mark > w/dscp consistently via conntrack? > I've got 6 categories of traffic, which map onto 6 fwmarks which are used by the HTB filters. I could easily use iptables to map those onto dscp marks for cake to use on egress, but I still need the fwmarks (transferred to conntrack) to classify ingress traffic, as it's unlikely that I would see useful dscp marks from my ISP. >> >> It would also classify inbound traffic better if cake could use fwmarks in >> that way as diffserv is currently pretty much useless for that purpose with >> most ISPs. > > My understanding of this is that cake runs before iptables does on > inbound. (?) so fw marks won't help here. But it's probable I'm wrong. That's partly true. All the QoS stuff on the ingress side - both ppp0 (in my case) and ifb0 - happens before it ever hits a netfilter hook. However my ingress filter uses 'action connmark' to copy the conntrack mark to the packet fwmark before redirecting to ifb0 so that the HTB filters can operate on that. As cake uses diffserv to classify, it would be good to carry dscp in the conntrack & transfer it to incoming packets with an 'action' on the ingress filter, but carrying dscp specifically in the conntrack record would be quite a significant change to other parts of linux. Hence the use of fwmark and the conntrack mark field, which already exist. John ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-02-03 19:01 ` John Sager @ 2017-02-03 19:30 ` Jonathan Morton 2017-02-03 21:25 ` John Sager 2017-02-04 5:51 ` Konstantin Shalygin 1 sibling, 1 reply; 9+ messages in thread From: Jonathan Morton @ 2017-02-03 19:30 UTC (permalink / raw) To: John Sager; +Cc: Cake List > On 3 Feb, 2017, at 21:01, John Sager <john@sager.me.uk> wrote: > > As cake uses diffserv to classify, it would be good to carry dscp in the > conntrack & transfer it to incoming packets with an 'action' on the ingress > filter, but carrying dscp specifically in the conntrack record would be > quite a significant change to other parts of linux. Hence the use of fwmark > and the conntrack mark field, which already exist. Yes, this is what I thought you meant. As fwmark just sets “a number” on the conntrack record, there’s no reason in principle not to have that number be a DSCP (or some reasonably transformed representation of one). The trick is then for cake to extract that number from the conntrack record (having looked it up), and if it looks valid, to use it as the packet’s DSCP instead of the one on the packet itself. In principle, that should not be difficult. For the moment however, I’ve got my hands full with writing a report on performance tests I’ve been running, and then getting reacquainted with some code changes that happened while I was looking elsewhere. - Jonathan Morton ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-02-03 19:30 ` Jonathan Morton @ 2017-02-03 21:25 ` John Sager 0 siblings, 0 replies; 9+ messages in thread From: John Sager @ 2017-02-03 21:25 UTC (permalink / raw) To: Cake List No problem. The distro I use for my firewall (LEAF-bering) doesn't support cake yet, though I could build the module & cake-aware tc with its toolchain, so I'll continue with HTB+fq_codel & keep an eye on this list. John On 03/02/17 19:30, Jonathan Morton wrote: > >> On 3 Feb, 2017, at 21:01, John Sager <john@sager.me.uk> wrote: >> >> As cake uses diffserv to classify, it would be good to carry dscp in the >> conntrack & transfer it to incoming packets with an 'action' on the ingress >> filter, but carrying dscp specifically in the conntrack record would be >> quite a significant change to other parts of linux. Hence the use of fwmark >> and the conntrack mark field, which already exist. > > Yes, this is what I thought you meant. > > As fwmark just sets “a number” on the conntrack record, there’s no reason in principle not to have that number be a DSCP (or some reasonably transformed representation of one). The trick is then for cake to extract that number from the conntrack record (having looked it up), and if it looks valid, to use it as the packet’s DSCP instead of the one on the packet itself. > > In principle, that should not be difficult. For the moment however, I’ve got my hands full with writing a report on performance tests I’ve been running, and then getting reacquainted with some code changes that happened while I was looking elsewhere. > > - Jonathan Morton > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-02-03 19:01 ` John Sager 2017-02-03 19:30 ` Jonathan Morton @ 2017-02-04 5:51 ` Konstantin Shalygin 2017-02-04 9:12 ` John Sager 1 sibling, 1 reply; 9+ messages in thread From: Konstantin Shalygin @ 2017-02-04 5:51 UTC (permalink / raw) To: cake On 02/04/2017 02:01 AM, John Sager wrote: > I've got 6 categories of traffic, which map onto 6 fwmarks which are used by > the HTB filters. I could easily use iptables to map those onto dscp marks > for cake to use on egress, but I still need the fwmarks (transferred to > conntrack) to classify ingress traffic, as it's unlikely that I would see > useful dscp marks from my ISP. Maybe you try IMQ? http://www.linuximq.net/ ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Cake] conntrack lookup continuation 2017-02-04 5:51 ` Konstantin Shalygin @ 2017-02-04 9:12 ` John Sager 0 siblings, 0 replies; 9+ messages in thread From: John Sager @ 2017-02-04 9:12 UTC (permalink / raw) To: cake I do use ifb, which does the same job as imq and it is in the mainline kernel. On 04/02/17 05:51, Konstantin Shalygin wrote: > On 02/04/2017 02:01 AM, John Sager wrote: > >> I've got 6 categories of traffic, which map onto 6 fwmarks which are used by >> the HTB filters. I could easily use iptables to map those onto dscp marks >> for cake to use on egress, but I still need the fwmarks (transferred to >> conntrack) to classify ingress traffic, as it's unlikely that I would see >> useful dscp marks from my ISP. > > Maybe you try IMQ? http://www.linuximq.net/ > _______________________________________________ > Cake mailing list > Cake@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cake ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-02-04 9:13 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-31 14:49 [Cake] conntrack lookup continuation Felix Resch 2017-01-31 21:14 ` Jonathan Morton 2017-02-03 16:42 ` John Sager 2017-02-03 17:08 ` Dave Taht 2017-02-03 19:01 ` John Sager 2017-02-03 19:30 ` Jonathan Morton 2017-02-03 21:25 ` John Sager 2017-02-04 5:51 ` Konstantin Shalygin 2017-02-04 9:12 ` John Sager
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox