From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by huchra.bufferbloat.net (Postfix) with ESMTP id 805A3201A98 for ; Tue, 29 Jan 2013 13:21:39 -0800 (PST) Received: from mailout-de.gmx.net ([10.1.76.28]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0LwTpp-1V4ABS3KFb-018Jwt for ; Tue, 29 Jan 2013 22:21:37 +0100 Received: (qmail invoked by alias); 29 Jan 2013 21:21:37 -0000 Received: from tsaolab-fw.caltech.edu (EHLO [192.168.50.1]) [131.215.9.89] by mail.gmx.net (mp028) with SMTP; 29 Jan 2013 22:21:37 +0100 X-Authenticated: #24211782 X-Provags-ID: V01U2FsdGVkX19HL7pTdMlHd0zP3R+UeH7g0apTezeJEzGQ/iIcvv H+v/pj3dahOSvk Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset=windows-1252 From: Sebastian Moeller In-Reply-To: Date: Tue, 29 Jan 2013 13:21:32 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: =?iso-8859-1?Q?Dave_T=E4ht?= X-Mailer: Apple Mail (2.1283) X-Y-GMX-Trusted: 0 Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fixing simple_qos.sh X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2013 21:21:39 -0000 Hi Dave, On Jan 27, 2013, at 04:28 , Dave Taht wrote: > A couple things: >=20 > It has long been my plan to integrate simple_qos (call it ceroshaper) = into the gui, and have a test run automatically to determine the = uplink/downlink bandwidth, and store that in upnp. Any idea of how to determine link speed by a script? As I intend = to disable upnp it would be great if the link speeds still be stored = somewhere and/or manually overridden. I want a firewall since I do not = trust a number of devices too much, like an iPod and a nexus7 and want = to keep them under supervision, so allowing them to pierce the firewall = makes me feel a bit uneasy. Then again, Skype and friends figured out = how to do NAT traversal without upnp so disabling it will only buy me a = little more control with a lot more hassle. Any expert on the security = tradeoff involved with UPNP willing to give their opinion on this = question. In related news: = https://community.rapid7.com/community/infosec/blog/2013/01/29/security-fl= aws-in-universal-plug-and-play-unplug-dont-play So maybe my uneasyness has some grounding in reality, Mind you, I have = not yet tested whether cerowrt is affected (and I doubt that, since the = linked exploit requires old ). Related question should cero's firewall = drop tcp port 5000 and udp port 1900 connection requests on the wan = interface to put in belt and suspenders for UPNP remote exploits? But = how does the interact with using cerowrt as secondary router? (Being = away from the router I can not easily check/change the firewall = settings=85) >=20 > The gui interface stuff has long defeated me, as well as finding = enough servers to be the backend portion of the test. as for the latter = portion, I have got a couple linode boxes up and hope to get some more = boxes from another resource. as for the gui, I'm just hopeless there. >=20 > As for the shaper script... >=20 > One thing I notice right now is that an awful lot of stuff ends up in = the background bin for some reason.=20 Now I am away from my router and just equipped with an e-mailer, = that is typically when I am most dangerous ;), but when you send out = non-working examples earlier I wondered whether to check individual TOS = bits would you not have to mask off all other bits?=20 >=20 > Similar things are happening on (unshaped) wifi. There's a bug there I = think. >=20 > It's been my hope to finish cake (simple_qos poured into C and made = more 32 bit cpu oriented) for a month now. I hope that will fix the = background bin thing as it does full diffserv classification - but I = don't know when I'll be done, so it would be nice to figure out what's = going on. Ah, is this to have a drop in replacement for pfifo_fast? >=20 > One thing that testing (actually kathie) revealed last week is that = 1024 nfq_codel flows may be excessive. 32 works pretty good, actually, = and provides a defense indirectly, against bittorrent eating your life. = Why that works is that codel works pretty good against one or a few = flows in a single bin, and 32 bins limits the amount of delay that can = be injected into the system that is unmanagable via codel. I'd been = trying for "perfect isolation" between flows, but that meant that in an = extreme overload situation with 100s of flows, and low bandwidth, delay = could get out of hand. Question, is not the extreme condition round robin through all = other flows? So the worst case latency might arise if all flows are = eligible for one full MTU packet ;at (measly) DSL uplink speeds of say = 512Kbit/sec that means each sent package will hog the line for ~23ms, so = even at 32 queues the worst case latency would be 31 * 23 =3D 713 ms. So = no more than 4 queues can be serviced routinely before the system will = exceed target (assuming the default 100ms, but I might have that wrong) >=20 > Heck, 16 bins might be enough. Don't know.=20 >=20 > --=20 > Dave T=E4ht >=20 > Fixing bufferbloat with cerowrt: = http://www.teklibre.com/cerowrt/subscribe.html = _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel