From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id E29133B29E for ; Sun, 6 Jun 2021 16:26:44 -0400 (EDT) Received: by mail-wm1-x329.google.com with SMTP id k5-20020a05600c1c85b02901affeec3ef8so881099wms.0 for ; Sun, 06 Jun 2021 13:26:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heistp.net; s=google; h=message-id:subject:from:to:cc:date:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=THfJPPf5ajzDB5wvPD8BBmIf/a7f7LjHQcDxUwO0GtQ=; b=TA6p0Da77bqQPho1S4gJz7syOkmMCS4+XZNN+kHLBrqkKnb02XlMTRQXITpA8gmq5a r5tEsCRCVkwTv1Juthu6QVP/mqzLMTWjqMrsHiUyfRy1vzam6xqYsgklSBvoN4PGVV98 0hqxUoOtDUHSIvkMXxiyhddFCNHHYNX8+WbgjW6re4qCj3/HHKx8AdT+M4KfukpP7e5v Zxm4i3Za/41zPYafJu/AP15h/LqsG+bjtV87f1iOCq45xfnAo1izvyp+a2o/MbDOmIcE 3sR26EymVBr4COD0pMdpVJFbSNZRmkpr5Yiqtfje0WdwFrlfuckb+PfId9TRRy6hXJOO 7tOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=THfJPPf5ajzDB5wvPD8BBmIf/a7f7LjHQcDxUwO0GtQ=; b=Ovx133KXAukKFmYvfETS/ih3rJedANwfolFoDZOuo0nMFsy2ndXDvJA4uho2APGbxA hpwtLKblCBcVyYUkOYQjFLsK6nx5/amTGqVtUa5KwLMPynKxRFpgKzIGxiBbNoIbRrbl VfQkVXhbdqKxmvq6dBUg6XvMKBqv9TPTGHC8zfMkhvTpMfbzpuG8WON3b2PSQz5KmKZ2 6yf0ehqSriURQ3yCuqp0wmeTM8AyiCwV1VcSISw0ZtYgFjPCIfZsaRLsTIlsGQxRFGxc LaAz1sEW5QcFMcvdvFVi54O35cs4Fef3P72rDPCqUUco2dye5XaHW+94nAHmFfws0a+M cJzg== X-Gm-Message-State: AOAM532uhtrf/1c06LTyFjJvMGydQLbTQrvB6ChSbHrmjRi3a+kwQKm5 aJ17xkkfIJzm/TcSM0ewlN14B9MDTpUVNg== X-Google-Smtp-Source: ABdhPJwvgPkmHlQ9yR9MlLXV3X3PJ5vjeNL16kEnYrpmvC19yRbK4s+Jn/HXcPTvxEa07dLw2Gbp4Q== X-Received: by 2002:a05:600c:290:: with SMTP id 16mr13878950wmk.162.1623011203925; Sun, 06 Jun 2021 13:26:43 -0700 (PDT) Received: from [10.72.0.88] (h-1169.lbcfree.net. [185.193.85.130]) by smtp.gmail.com with ESMTPSA id 3sm14829187wmi.7.2021.06.06.13.26.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Jun 2021 13:26:43 -0700 (PDT) Message-ID: From: Pete Heist To: Toke =?ISO-8859-1?Q?H=F8iland-J=F8rgensen?= Cc: Cake List Date: Sun, 06 Jun 2021 22:26:42 +0200 In-Reply-To: <87h7iawyr1.fsf@toke.dk> References: <22f3032d0dfd47f53d4d6595ee6bd192377fbc6e.camel@heistp.net> <87h7iawyr1.fsf@toke.dk> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [Cake] customizing Cake's isolation with ipsets, tc-flow and eBPF X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2021 20:26:45 -0000 On Sun, 2021-06-06 at 21:59 +0200, Toke Høiland-Jørgensen wrote: > Pete Heist writes: > > > I've always wanted a way to customize Cake's host and flow isolation > > in > > a way that would be usable e.g. for small ISPs, and this is what I > > came > > up with: > > > > https://github.com/heistp/cake-custom-isolation > > > > ipsets are used to set the skb priority or mark, then tc-flow or a > > simple eBPF classifier is used in a child filter of cake to get the > > major and minor class IDs set, which override the host and flow > > hashes. > > Very cool! Awesome to see the customisation options being used for > something neat like this! :) > > > To show it in action, the cakeiso.sh script sets up a netns > > environment > > and runs competition between two "subscribers" and three flows, two > > TCP > > flows and one unresponsive UDP flow. Several configurations are run > > to > > show what is and isn't possible. > > > > If anyone knows of a simpler way than eBPF to get both the major and > > minor class ID set from ipsets, I'd like to hear it, but the included > > classifiers are at least very simple one-liners... > > Well, you could go the other way? Instead of ipset, just do the > classification in eBPF and use a BPF map to store the IP addresses. > There's even an LPM map type, so you can use arbitrary prefix lengths > for each class (or not, and just use a hashmap)... True that, I started something like that at some point: https://github.com/heistp/tc-users/ but I think I got a little overzealous with it. I'm not sure if/when I'll get back to that, but the ipset solution seems to be "good enough" for what I (and my ISP) needs. I'm glad you slipped the tc filter overrides in before Cake went out the door. :) This doesn't do away with the possible need for a full-blown ISP qdisc one day, with configurable subscriber tiers, handling of higher loads, etc, but at least it's something for the little guys. Pete > -Toke