From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id B77B53CB35 for ; Fri, 21 May 2021 19:11:05 -0400 (EDT) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 9A92E5C00E4; Fri, 21 May 2021 19:11:05 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Fri, 21 May 2021 19:11:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lochnair.net; h= message-id:subject:from:to:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; s=fm3; bh= MTUVrnVaH7unvRLFpDg+/Tumr2E/ERSP1SOa0+rbdtY=; b=BbV54lnHKLPxgQHh chRPWOVdoDS4C1nk0YShtqgWipZ+8zQAs5+CPvX/1mA5yqYq9kcRZH0iMS47cEnA bJI7appiHI4dJHaOtYNpRrDRo97AHswTwqmFfwrL7J3bJ0cwoojAj9mUFbTtubFp icF4+VEww0NH79dhF3rAq4SXPpm2Z3Cdt7mfwHsC7mMf3D/mOutr88t8W6FvAxTe F3IlFYc+Qgm9/MVA2p0rcJkCJdzOs8Wqx7e51/8drb/5C39tUx0nQcZTDvmz732L cM5/H90dm09heQFn9tNjnBJWI1YXKnZlRz16kxLZR3oK/sw8iOnS6AFy/1CR8Ux6 c+AvlA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=MTUVrnVaH7unvRLFpDg+/Tumr2E/ERSP1SOa0+rbd tY=; b=UlJ070sIlAYs5OftSEWr19ZrDBEw5WvxzNaWQnBZRyJ0aSQa17roM3GSg vV9ssi8Zrms9h2HTaHCtdXz7VGuz7R44hGIOuyLmWKyS+X/AJZ8S5ea8i3yEY7G9 zlgrjOHmU35mcDjentfCZWBTAZZLlIKdiLUqYIhL91Ni0ORhqogcNaaMgQGZclBv lqGiY596c/5vnz/LeXAVNh0aTdEmQIwdlUOd0zn2RLypXKYUf7VKZ7qe8NK0ggTt CrQSw8gMe8LpgRZGk2WPTzX1qSiBKyjlNCPQff0sq7fQohu9cOunl073YoaeedvH LA09PFYy6pkntU6r59EGl8qjtYtRQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdejgedgudelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkffuhffvffgjfhgtfggggfesthejredttderjeenucfhrhhomheppfhilhhs ucetnhgurhgvrghsucfuvhgvvgcuoehmvgeslhhotghhnhgrihhrrdhnvghtqeenucggtf frrghtthgvrhhnpefhudetveehgeeigeeggfdtueefleeuffevteelffejgeehleetieet geekudejvdenucffohhmrghinhepghhithhhuhgsrdgtohhmpdgsuhhffhgvrhgslhhorg htrdhnvghtnecukfhppedukeehrddujeehrdehiedrvdehfeenucevlhhushhtvghrufhi iigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmvgeslhhotghhnhgrihhrrdhnvg ht X-ME-Proxy: Received: from [192.168.137.175] (gate.sveet.no [185.175.56.253]) by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 21 May 2021 19:11:02 -0400 (EDT) Message-ID: From: Nils Andreas Svee To: John Sager , cake@lists.bufferbloat.net Date: Sat, 22 May 2021 01:10:54 +0200 In-Reply-To: <2BB2622F-69F0-4ED3-9A85-3FF96D618F21@sager.me.uk> References: <91d484ec338c58f622c25285bf4ff8658fde4a03.camel@lochnair.net> <2BB2622F-69F0-4ED3-9A85-3FF96D618F21@sager.me.uk> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [Cake] CAKE host isolation modes with NAT - two routers X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2021 23:11:05 -0000 For the time being you _can_ still see what domain a users connecting to over TLS 1.3 (assuming ESNI isn't used). I wrote a iptables module doing just that a few years ago [1]. I also toyed with a nfqueue version a couple years back written in Go [2]. Of course, whenever ESNI becomes the norm they're both useless. On-topic: So far I'm thinking I'll have to add one tc filter per host to get proper isolation. Not sure if there's a big enough performance impact by adding a filter per host at boot time that I should add these dynamically when new hosts show up. I don't know tc all that well, but I imagine this'll do it: > tc filter add dev eth0 parent 1: handle fw classid :0 [1]: https://github.com/Lochnair/xt_tls [2]: https://github.com/Lochnair/nfq-tls -- Best Regards, Nils On Fri, 2021-05-21 at 16:51 +0100, John Sager wrote: > I did something similar some years ago in an attempt to divine video > servers (eg YouTube) from their TLS certificates in Https connections > to mark the connection appropriately. The nfqueue stuff worked > beautifully, the cert stuff less so, so I abandoned it. With the latest > TLS version the cert stuff is no longer visible anyway. > > There is a Python binding to libnetfilter_queue which might make it > easier to play quickly. > > regards, > John > > > On 20 May 2021 17:07:43 BST, Nils Andreas Svee wrote: > > Hi folks > > > > Currently my setup looks something like this: LAN <-> EdgeRouter <-> > > WireGuard <-> VPS <-> Internet. > > > > CAKE for upstream is running on the EdgeRouter and downstream on the > > VPS. > > > > The public IPs are all on the VPS per today, so that the host > > isolation > > can do its job with NAT enabled. > > > > Ideally I'd like to route the public IPs to each endpoint and handle > > NAT-ing there, but then I'd obviously lose the ability to do proper > > host isolation. > > > > Now, I've been toying with the idea of using an userspace application > > to extract conntrack information, to let the VPS know which host hash > > it should use. > > > > I might be way of here, but I'm thinking of using NFQUEUE to mark new > > flows based on information from the EdgeRouter, and let tc filters > > set > > the host hash based on that mark. For performance purposes only send > > unmarked flows to NFQUEUE. > > > > I realise this is kinda overkill, but it might we a fun weekend > > project. > > _______________________________________________ > Cake mailing list > Cake@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cake