Re: [Cake] conntrack lookup continuation

[John Sager <john@sager.me.uk>]

On 03/02/17 17:08, Dave Taht wrote:
> On Fri, Feb 3, 2017 at 8:42 AM, John Sager <john@sager.me.uk> wrote:
>> I would support this. It would allow cake to behave pretty much as I have
>> HTB+fq_codel currently set up for both egress and ingress (via ifb0) on my
>> border router/firewall. I fwmark egress traffic based on various criteria
>> using ip[6]tables & transfer the marks to conntrack where they are recovered
>> on ingress to classify inbound responses to outbound requests.
> 
> I'm not huge on using fwmarks. Is this because you cannot re-mark
> w/dscp consistently via conntrack?
> 

I've got 6 categories of traffic, which map onto 6 fwmarks which are used by
the HTB filters. I could easily use iptables to map those onto dscp marks
for cake to use on egress, but I still need the fwmarks (transferred to
conntrack) to classify ingress traffic, as it's unlikely that I would see
useful dscp marks from my ISP.

>>
>> It would also classify inbound traffic better if cake could use fwmarks in
>> that way as diffserv is currently pretty much useless for that purpose with
>> most ISPs.
> 
> My understanding of this is that cake runs before iptables does on
> inbound. (?) so fw marks won't help here. But it's probable I'm wrong.

That's partly true. All the QoS stuff on the ingress side - both ppp0 (in my
case) and ifb0 - happens before it ever hits a netfilter hook. However my
ingress filter uses 'action connmark' to copy the conntrack mark to the
packet fwmark before redirecting to ifb0 so that the HTB filters can operate
on that.

As cake uses diffserv to classify, it would be good to carry dscp in the
conntrack & transfer it to incoming packets with an 'action' on the ingress
filter, but carrying dscp specifically in the conntrack record would be
quite a significant change to other parts of linux. Hence the use of fwmark
and the conntrack mark field, which already exist.

John