From: John Sager <john@sager.me.uk>
To: cake@lists.bufferbloat.net
Subject: Re: [Cake] Using firewall connmarks as tin selectors
Date: Sun, 3 Mar 2019 12:22:29 +0000 [thread overview]
Message-ID: <dc246339-bd63-7450-0660-63d3009feda5@sager.me.uk> (raw)
In-Reply-To: <67E78212-F68E-4BD1-946D-F1830EEA2968@darbyshire-bryant.me.uk>
If you are going to do that, I would suggest using a few of the upper bits
of the 32-bit fwmark/connmark space available, rather than the lowest bits.
Then that would allow to use fwmarks other purposes, and to use the lowest
bits, as well in the future. As iptables allows a mask before comparison,
then choose a specific mask for the bits you use both for setting and testing.
regards,
John
On 03/03/2019 11:52, Kevin Darbyshire-Bryant wrote:
> Be afraid, be very afraid.
>
> I’ve woken up with two ideas in my head, one is bad, the other is very bad. The bad one is already implemented and lurking in the mine branch of my cake git tree:
>
> The bad idea:
>
> An extension of the ‘fwmark’ tin allocation idea is to get cake to automagically update the conntrack mark based on the DSCP tin allocation chosen on egress. That way, well behaved applications using DSCP (e.g. dropbear) get their return path packets similarly classified on ingress. Badly behaved applications can have iptables rules put in place to ‘manually’ add fwmarks as is already done.
>
>
> The very bad idea:
>
> And it’s bad ‘cos it’s sort of incompatible with the existing fwmark implementation as described above. So an awful lot of our shenanigans above is due to DSCP not traversing the internet particularly well. The solution above abstracts DSCP into ’tins’ which we put into fwmarks. Another approach would be to put the DSCP *into* the fwmark. CAKE could (optionally) copy the FWMARK contained DSCP into the diffserv field onto the actual packets. Voila DSCP traversal across ’tinternet with tin/bandwidth allocation in our local domain preserved.
>
>
>> On 28 Feb 2019, at 03:24, gamanakis@gmail.com wrote:
>>
>> I think it's much simpler to use than tc-filter, BPF or even DSCP bits.
>> Manipulating DSCP bits seems the simplest of the currently available mechanisms to classify traffic. Even in this case, fwmarks are essentially simpler.
>> E.g. if you want to classify outgoing traffic on the LAN interface:
>> with DSCP you need to manipulate DSCP bits on incoming packets on the WAN interface.
>> with fwmark you can directly mark outgoing packets on the LAN interface and cake will classify them appropriately.
>>
>>
>> _______________________________________________
>> Cake mailing list
>> Cake@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cake
>
>
> Cheers,
>
> Kevin D-B
>
> 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A
>
> _______________________________________________
> Cake mailing list
> Cake@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cake
>
next prev parent reply other threads:[~2019-03-03 12:22 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-27 21:12 Felix Resch
2019-02-28 3:24 ` gamanakis
2019-03-03 11:52 ` Kevin Darbyshire-Bryant
2019-03-03 12:22 ` John Sager [this message]
2019-03-03 16:25 ` Kevin Darbyshire-Bryant
2019-03-04 11:04 ` Toke Høiland-Jørgensen
2019-03-04 11:39 ` John Sager
2019-03-04 5:37 ` Ryan Mounce
2019-03-04 6:31 ` Jonathan Morton
2019-03-04 6:37 ` Ryan Mounce
2019-03-04 7:15 ` Dave Taht
2019-03-04 8:39 ` Pete Heist
2019-03-04 11:01 ` Kevin Darbyshire-Bryant
2019-03-04 11:17 ` Toke Høiland-Jørgensen
2019-03-04 11:55 ` Kevin Darbyshire-Bryant
2019-03-04 12:44 ` Toke Høiland-Jørgensen
2019-03-04 15:50 ` Kevin Darbyshire-Bryant
2019-03-04 16:39 ` Toke Høiland-Jørgensen
2019-03-04 17:19 ` Kevin Darbyshire-Bryant
2019-03-04 17:36 ` Toke Høiland-Jørgensen
2019-03-04 20:58 ` Kevin Darbyshire-Bryant
2019-03-04 21:33 ` Toke Høiland-Jørgensen
2019-03-04 21:42 ` Toke Høiland-Jørgensen
2019-03-05 14:06 ` Kevin Darbyshire-Bryant
-- strict thread matches above, loose matches on Subject: below --
2019-02-27 14:52 Kevin Darbyshire-Bryant
2019-02-27 15:14 ` Toke Høiland-Jørgensen
2019-02-28 8:32 ` Kevin Darbyshire-Bryant
2019-02-28 9:54 ` Toke Høiland-Jørgensen
2019-02-28 11:00 ` Kevin Darbyshire-Bryant
2019-02-28 11:13 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dc246339-bd63-7450-0660-63d3009feda5@sager.me.uk \
--to=john@sager.me.uk \
--cc=cake@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox