From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40085.outbound.protection.outlook.com [40.107.4.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 5BE343B29E for ; Thu, 24 May 2018 00:52:20 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=darbyshire-bryant.me.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VJQA7EIyp2DCj0dErWS23rid6DS9CGF5n/3BD4ni0T4=; b=p9jp2mK8RoRZ1CizeERPSSjweIzdfdhjopGcGSKOFgkooE7Y1kNCgym2H/ScHXgh5Zm9Ay3mQ9CFW5ECIcRNkk8RMm8l171zEX3gIqLsRGEl5fnlCQl1J6eX6VXIrWKE/2zM0wgMV3zrdj3qUKAXMpThRftuhPuVov+Sv/aA25w= Received: from VI1PR07MB4254.eurprd07.prod.outlook.com (20.176.6.147) by VI1PR07MB0815.eurprd07.prod.outlook.com (10.161.107.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.797.8; Thu, 24 May 2018 04:52:16 +0000 Received: from VI1PR07MB4254.eurprd07.prod.outlook.com ([fe80::2d37:3474:cf1e:b21c]) by VI1PR07MB4254.eurprd07.prod.outlook.com ([fe80::2d37:3474:cf1e:b21c%3]) with mapi id 15.20.0797.011; Thu, 24 May 2018 04:52:16 +0000 From: Kevin Darbyshire-Bryant To: =?utf-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= CC: David Miller , Cake List , Linux Kernel Network Developers , "netfilter-devel@vger.kernel.org" Subject: Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier Thread-Topic: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier Thread-Index: AQHT8ucchd+mlScgEEiPfhociTRl9aQ+UCqA Date: Thu, 24 May 2018 04:52:16 +0000 Message-ID: References: <87in7exg3d.fsf@toke.dk> <20180523.164152.387997944739062215.davem@davemloft.net> <87bmd6xeur.fsf@toke.dk> <20180523.172008.1067759293733489715.davem@davemloft.net> <878t8axafk.fsf@toke.dk> In-Reply-To: <878t8axafk.fsf@toke.dk> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [167.98.58.244] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR07MB0815; 7:ljVi1DXU1rkOYUyGPqxI3fzyuHzKex7fi5XuLsmTXxnIIt6T8gXsmVAP0fGT2li6c9dXYhrw5rHcvsL1/kHOA4GfGP2DpPR2oogWu+al0JStwYrKvrpvAefK/tMtPWcrFoEbS336qP0ia1Tg7QPNojKzak3IklHO8PVDg+uJfNBck1xK1gDyiBcUnkl4PaFnqy08HjAWY1FL4PPjgaLMWwbSmGQpIIN+9ia/3GZEwWXRNI1EjUrC1QL8Kly3VZoh x-ms-exchange-antispam-srfa-diagnostics: SOS; x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(5600026)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7027125)(7028125)(7023125)(2017052603328)(7153060)(49563074)(7193020); SRVR:VI1PR07MB0815; x-ms-traffictypediagnostic: VI1PR07MB0815: authentication-results: spf=none (sender IP is ) smtp.mailfrom=kevin@darbyshire-bryant.me.uk; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(2016111802025)(20161123562045)(20161123558120)(20161123560045)(20161123564045)(6043046)(6072148)(201708071742011)(7699016); SRVR:VI1PR07MB0815; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB0815; x-forefront-prvs: 0682FC00E8 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(366004)(376002)(396003)(39830400003)(346002)(189003)(199004)(6486002)(8936002)(5250100002)(6436002)(83716003)(5660300001)(2616005)(7736002)(99286004)(6916009)(6512007)(93886005)(305945005)(186003)(3660700001)(33656002)(68736007)(4326008)(14454004)(25786009)(6246003)(3280700002)(81166006)(81156014)(6116002)(86362001)(316002)(229853002)(82746002)(26005)(36756003)(2906002)(97736004)(53936002)(76176011)(74482002)(11346002)(99936001)(476003)(478600001)(2900100001)(66066001)(446003)(6506007)(106356001)(486006)(54906003)(105586002)(3846002)(53546011)(102836004); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB0815; H:VI1PR07MB4254.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: darbyshire-bryant.me.uk does not designate permitted sender hosts) x-microsoft-antispam-message-info: MT9apOb7kdzNSIkRUT/tbbVAhxrytnwMhZphIZujPA033jg8vUumlt2xkdIOj0KZtpoPhhD9F5/RU5cSqUOy7kd6OfTQINpporOWAr8u7kJu1+QSW8jzL+Ioi6uzjE9xkz3Hu/VjOZ3rkeOqP+tfacSJQJFtMxqUZAcYiR4V/FPETUZcpDYz1k6EtMHLiAxH spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/signed; boundary="Apple-Mail=_570C0C0C-3875-4DD0-B6DB-444EB597E6E2"; protocol="application/pgp-signature"; micalg=pgp-sha256 MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: db897cdc-beca-40ce-9ed6-08d5c1321f8d X-OriginatorOrg: darbyshire-bryant.me.uk X-MS-Exchange-CrossTenant-Network-Message-Id: db897cdc-beca-40ce-9ed6-08d5c1321f8d X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2018 04:52:16.0400 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9151708b-c553-406f-8e56-694f435154a4 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB0815 X-List-Received-Date: Thu, 24 May 2018 04:52:20 -0000 --Apple-Mail=_570C0C0C-3875-4DD0-B6DB-444EB597E6E2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 23 May 2018, at 23:40, Toke H=C3=B8iland-J=C3=B8rgensen = wrote: >=20 >=20 > Hmm, and we still have an issue with ingress filtering (where cake is > running on an ifb interface). That runs pre-NAT in the conntrack case, > and we can't do the RX trick. Here we do the lookup manually in > conntrack (and this part is actually what brings in most of the > dependencies). Any neat tricks up your sleeve for this case? :) I wonder here if our terminology with =E2=80=98ingress=E2=80=99 is = causing confusion. For avoidance of doubt: Typical use case of cake on LAN/WAN router requires two instances. One = instance (the egress) is on the WAN interface itself. It is post = conntrack and hence uses skb->nfct to work out the real pre-nat source = address of the LAN hosts. Since we cannot apply this qdisc to the ingress of our WAN interface we = use an IFB to mirror the ingress packets, and then use a cake instance = on the ifb interface on its egress path to in essence control the = ingress traffic. Cake has two modes, the normal =E2=80=98egress=E2=80=99 mode which is = designed to be used when controlling egress traffic output, and shapes = post any dropped packets. =E2=80=98ingress=E2=80=99 mode is designed to = be used on the egress of our ingress IFB, where the shaper counts all = packets used (well they got here!) even if we decide to drop them a bit = later. The ifb positioned cake has the additional fun factor that the conntrack = field hasn=E2=80=99t yet been filled in, so the qdisc has to go looking = in the conntrack tables itself to see if any NATting has taken place and = balance LAN host fairness based on that. As far as I understand it, the flow dissector doesn=E2=80=99t obviously = help with working out the pre-NAT addressing as the flow has already = been mangled in the egress case, and is awaiting mangling on the ingress = case. Kevin --Apple-Mail=_570C0C0C-3875-4DD0-B6DB-444EB597E6E2 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIyBAEBCAAdFiEEASyssijGxT6XdZEjs6I4m53iM0oFAlsGRP8ACgkQs6I4m53i M0rhLw/4vKMmRf9T/SCQgBTHHieZ1pUW+4MHAgfMstS4htyDwvC5Qicc1paqKpx+ oJgwBsxGx2boMJ2XdAy2Y8Lgs3FUMBoA5V0cizEMtE8ACUGrf0sDTF8FzdiDRUDE 7dSSsy/ryePGisLS7273SrGBxwBxsP4DbY0mPf8/6CgKXOFDSKZA7Rh83bCTKfTn y44dL/1ZJ6yf1mK7kXHgQBTLWcZzeN31JJ5lZo3k5Gs1TyrJ3qp4F/ZycrcLyqHb slEj6/l6loCI3lSscfIGu/enzpYH3tV3LBxSaSoBS3XEmEKxHA4wgkaB6OJFx5PY schAjBsMhKOwet367V+WaVX5ggiE/zA9ggXkQDIclrolFkRIHcKx8XN/JVYSFxQt wk3uSkRaJYzbOUgqrFBjrzU/juTuhNcgR4NBPQgJX8+fNNryqAiT7qJXCPSquQc7 ypxFks9fCfhsWiZt4qsU/Mb1eGsf5AQJv/ZqYj/yBtJ2657hNW/aw2EfrNyt1BkC zGjheoLvwgLv++Ge5SuSQxntQBqixbVLMswYHT4osDD0rxEzuMWi0tSq/4q/p83h rCgoJoIbScf9hKNhS+ZgxJsKr0iqOYxlbYbzGBpqw19jsNeVBEOzYW2lgYiO/IH5 78TCvTshiRTi21O2zfQyk3qChA8sJkZKmKCBzy3EgMy6Qi+T9Q== =DDwx -----END PGP SIGNATURE----- --Apple-Mail=_570C0C0C-3875-4DD0-B6DB-444EB597E6E2--