From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 3E4A321F2FA for ; Mon, 13 Apr 2015 06:43:56 -0700 (PDT) Received: by oiko83 with SMTP id o83so4083202oik.1 for ; Mon, 13 Apr 2015 06:43:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=ZT8NPxQZPAGiJ/daBBgO1eXwNAUmRTyXRJY8/fBW9II=; b=B1EE5atYJntWfQfqoNVyzR6f26Ngf3A+nkVd9hxynKcjEj6NWTQQPQiAv73Pjq1Ied /ZviUWBXuRSqx3jfNjdfpuNxXH7W61RFKHwtsnKv1KrimjKhSpmEp837Uzv927Asjb0R w5aMv4Z3WNsU47z9+/KgpJB8P30v+l6tAO4I/oFtQVBwV9bKFnIo8OMNZnY2byKfLvfk nSdCFcPugDyE0Hb+rHAKgBlYk0Xe30M6/hSZnjoGI7bgc25gcxPzINA2hdmo8tmJy3Ft myjOZiNAS4JeI7JZ04i/0mY6uoGQcK+D3/3JYXkkC3v8ntNfVfphV2Pvcy3wKuS8eaBO KRfQ== X-Received: by 10.202.63.5 with SMTP id m5mr7486707oia.35.1428932635542; Mon, 13 Apr 2015 06:43:55 -0700 (PDT) MIME-Version: 1.0 Sender: white.phoenix@gmail.com Received: by 10.202.188.8 with HTTP; Mon, 13 Apr 2015 06:43:25 -0700 (PDT) In-Reply-To: References: From: leetminiwheat Date: Mon, 13 Apr 2015 09:43:25 -0400 X-Google-Sender-Auth: 8TVrfEPSpijC-rTCjwrrxzPPh9g Message-ID: To: Sebastian Moeller , cerowrt-devel Content-Type: multipart/alternative; boundary=001a113dd424264b4f05139b4e2b Subject: Re: [Cerowrt-devel] squash/ignore DSCP and mangle table questions X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2015 13:44:30 -0000 --001a113dd424264b4f05139b4e2b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, Apr 13, 2015 at 7:32 AM, Sebastian Moeller wrote: > > > "Squash DSCP on inbound packets (ingress):=E2=80=9D this will= replace all DSCP marks with 0x0 (I believe), but only after the ingress qdisc. > > > In essence this means you can actually interpret ingress DSCP marks from upstream ("Ignore DSCP on ingress=E2=80=9D set to ALLOW) but wipe them= after the ingress shaping (with "Squash DSCP on inbound packets (ingress);=E2=80= =9D active). So the default should be =E2=80=9CIgnore DSCP on ingress=E2=80=9D = and Squash (the second can be argued, as long as no one bases routing decisions on the marks they do not hurt). The rest of your questions are beyond my expertise... > > > > Hmm, why would we want to remove all DSCP on output then? > > Because often we do not want to trust the internet to do the right thing and not game our classification? At least this is a common argument made... > > > I assume many ISPs and routers will squash them anyways, > > ISPs are free to set the DSCP values to whatever suits them, and sometimes they do weird things, in essence per default we should not trust them... > > > but wouldn't it serve *some* purpose to differentiate between different traffic types? > > Sure, if you know what you do setting reasonable DSCP values for VoIP sounds like a good thing (but due to fq_codel=E2=80=99s inner working = might not be required). Alas iptables is only available to us after the packets went through the IFB, so any resetting of DSCP values would be for internal network nodes, our shaper unfortunately can not use this information=E2=80= =A6 Curious, if fq_codel runs after iptables and can't use DSCP information, why does it mark packets in the mangle chain? I'm still trying to wrap my head around the --set-xmark relevant snippet here with squash disabled and ignore ingress set to allow. Can anyone answer why it's matching DSCP marks and what is it doing with xset? I assumed it was marking packets for use in QOS, such as the chain suggests "Chain QOS_MARK_ge00" but this is a jump target from both PREROUTING and POSTROUTING so it should hit FORWARD too, ###########################################################################= ########################## #iptables -nL -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x2/0xff fwmark all -- 0.0.0.0/0 0.0.0.0/0 QOS_MARK_ge00 all -- 0.0.0.0/0 0.0.0.0/0 [goto] mark match 0x0/0xff Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination mssfix all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination DSCP udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 123,53 DSCP set 0x24 Chain POSTROUTING (policy ACCEPT) target prot opt source destination QOS_MARK_ge00 all -- 0.0.0.0/0 0.0.0.0/0 [goto] mark match 0x0/0xff Chain QOS_MARK_ge00 (2 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x2/0xff MARK all -- 0.0.0.0/0 0.0.0.0/0 DSCP match 0x08 MARK xset 0x3/0xff MARK all -- 0.0.0.0/0 0.0.0.0/0 DSCP match 0x30 MARK xset 0x1/0xff MARK all -- 0.0.0.0/0 0.0.0.0/0 DSCP match 0x2e MARK xset 0x1/0xff MARK all -- 0.0.0.0/0 0.0.0.0/0 DSCP match 0x24 MARK xset 0x1/0xff MARK all -- 0.0.0.0/0 0.0.0.0/0 tos match0x10/0x3f MARK xset 0x1/0xff Chain fwmark (1 references) target prot opt source destination Chain mssfix (1 references) target prot opt source destination TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU ###########################################################################= ########################## #iptables -S -t mangle -P PREROUTING ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N fwmark -N mssfix -A PREROUTING -i vtun+ -p tcp -j MARK --set-xmark 0x2/0xff -A PREROUTING -j fwmark -A PREROUTING -i ge00 -m mark --mark 0x0/0xff -g QOS_MARK_ge00 -A FORWARD -j mssfix -A OUTPUT -p udp -m multiport --ports 123,53 -j DSCP --set-dscp 0x24 -A POSTROUTING -o ge00 -m mark --mark 0x0/0xff -g QOS_MARK_ge00 -A QOS_MARK_ge00 -j MARK --set-xmark 0x2/0xff -A QOS_MARK_ge00 -m dscp --dscp 0x08 -j MARK --set-xmark 0x3/0xff -A QOS_MARK_ge00 -m dscp --dscp 0x30 -j MARK --set-xmark 0x1/0xff -A QOS_MARK_ge00 -m dscp --dscp 0x2e -j MARK --set-xmark 0x1/0xff -A QOS_MARK_ge00 -m dscp --dscp 0x24 -j MARK --set-xmark 0x1/0xff -A QOS_MARK_ge00 -m tos --tos 0x10/0x3f -j MARK --set-xmark 0x1/0xff -A mssfix -o ge00 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu ###########################################################################= ########################## I've inserted my custom --set-dscp user created chains into PREROUTING and POSTROUTING, which I excluded from the above but I still don't understand what exactly these marks are doing, even after reading the documentation. It seems like it's still replacing DSCP from what I can tell. ------ Also, another unrelated question regarding queue buffers; All my ifconfig interfaces show txqueuelen:1000 except for ifb4ge00 and ifb4gw00, both of which I have SQM rate limiting on. wasn't this supposed to be tweaked by debloat scripts? /etc/config/debloat says obsoleted by /etc/hotplug.d/iface/02-debloat but that file is empty. uci seems to show the txqueuelen options disabled. Did something change, are these not needed anymore, or did I screw up a config somewhere? # uci show | grep debloat debloat.@wireless[0]=3Dwireless debloat.@wireless[0].txqueuelen=3D4 debloat.@wirelessn[0]=3Dwirelessn debloat.@wirelessn[0].txqueuelen=3D16 debloat.@wired10[0]=3Dwired10 debloat.@wired10[0].txqueuelen=3D4 debloat.@wired100[0]=3Dwired100 debloat.@wired100[0].txqueuelen=3D16 debloat.@wired1000[0]=3Dwired1000 debloat.@wired1000[0].txqueuelen=3D32 uci: Entry not found Thanks for your time, and my apologies if these questions seem dumb or regarded as unnecessary mailing list spam - I'm still learning and tweaking things. I do my best to search the wikis and google before asking here. --001a113dd424264b4f05139b4e2b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Mon, Apr 13, 2015 at 7:32 AM, Sebastian Moeller= <moeller0@gmx.de> wrote:
<= br>> > > =C2=A0 =C2=A0 =C2=A0 =C2=A0 "Squash DSCP on inbound = packets (ingress):=E2=80=9D this will replace all DSCP marks with 0x0 (I be= lieve), but only after the ingress qdisc.
> > > In essence this= means you can actually interpret ingress DSCP marks from upstream ("I= gnore DSCP on ingress=E2=80=9D set to ALLOW) but wipe them after the ingres= s shaping (with "Squash DSCP on inbound packets (ingress);=E2=80=9D ac= tive). So the default should be =E2=80=9CIgnore DSCP on ingress=E2=80=9D an= d Squash (the second can be argued, as long as no one bases routing decisio= ns on the marks they do not hurt). The rest of your questions are beyond my= expertise...
> >
> > Hmm, why would we want to remove al= l DSCP on output then?
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Because = often we do not want to trust the internet to do the right thing and not ga= me our classification? At least this is a common argument made...
>> > I assume many ISPs and routers will squash them anyways,
>= ;
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 ISPs are free to set the DSCP values = to whatever suits them, and sometimes they do weird things, in essence per = default we should not trust them...
>
> > but wouldn't i= t serve *some* purpose to differentiate between different traffic types?>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Sure, if you know what you do set= ting reasonable DSCP values for VoIP sounds like a good thing (but due to f= q_codel=E2=80=99s inner working might not be required). Alas iptables is on= ly available to us after the packets went through the IFB, so any resetting= of DSCP values would be for internal network nodes, our shaper unfortunate= ly can not use this information=E2=80=A6

Curious, if fq_codel r= uns after iptables and can't use DSCP information, why does it mark pac= kets in the mangle chain? I'm still trying to wrap my head around the -= -set-xmark

relevant snippet here with squash disab= led and ignore ingress set to allow. Can anyone answer why it's matchin= g DSCP marks and what is it doing with xset? I assumed it was marking packe= ts for use in QOS, such as the chain suggests "Chain QOS_MARK_ge00&quo= t; but this is a jump target from both PREROUTING and POSTROUTING so it sho= uld hit FORWARD too,

#############################= ########################################################################
#iptables -nL -t mangle
Chain PREROUTING (policy ACC= EPT)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 destination
MARK =C2=A0 =C2=A0 =C2=A0= tcp =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0MARK xset 0x2/0xff
fwmar= k =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.= 0.0.0/0
QOS_MARK_ge00 =C2=A0all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [g= oto] =C2=A0mark match 0x0/0xff

Chain INPUT (policy= ACCEPT)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 destination

Chain = FORWARD (policy ACCEPT)
target =C2=A0 =C2=A0 prot opt source =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 destination
mssfix = =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.0.0/0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.= 0.0/0

Chain OUTPUT (policy ACCEPT)
t= arget =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 destination
DSCP =C2=A0 =C2=A0 =C2=A0 udp =C2=A0-- =C2= =A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0multiport ports 123,53 DSCP set 0x24

=
Chain POSTROUTING (policy ACCEPT)
target =C2=A0 =C2=A0= prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 destinati= on
QOS_MARK_ge00 =C2=A0all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [goto] =C2= =A0mark match 0x0/0xff

Chain QOS_MARK_ge00 (2 refe= rences)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 destination
MARK =C2=A0 =C2=A0 =C2= =A0 all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0MARK xset 0x2/0xff
MAR= K =C2=A0 =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.= 0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0DSCP match 0x08= MARK xset 0x3/0xff
MARK =C2=A0 =C2=A0 =C2=A0 all =C2=A0-- =C2=A0= 0.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0DSCP match 0x30 MARK xset 0x1/0xff
MARK =C2= =A0 =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.0.0/0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= 0.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0DSCP match 0x2e MARK= xset 0x1/0xff
MARK =C2=A0 =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0DSCP match 0x24 MARK xset 0x1/0xff
MARK =C2=A0 = =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.0.0/0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.= 0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0tos match0x10/0x3f MARK = xset 0x1/0xff

Chain fwmark (1 references)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 destination

Chain mssfix (1 referenc= es)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 destination
TCPMSS =C2=A0 =C2=A0 tcp =C2= =A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPM= SS clamp to PMTU
##########################################= ###########################################################
#= iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPU= T ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-= P POSTROUTING ACCEPT
-N fwmark
-N mssfix
-A P= REROUTING -i vtun+ -p tcp -j MARK --set-xmark 0x2/0xff
-A PREROUT= ING -j fwmark
-A PREROUTING -i ge00 -m mark --mark 0x0/0xff -g QO= S_MARK_ge00
-A FORWARD -j mssfix
-A OUTPUT -p udp -m mu= ltiport --ports 123,53 -j DSCP --set-dscp 0x24
-A POSTROUTING -o = ge00 -m mark --mark 0x0/0xff -g QOS_MARK_ge00
-A QOS_MARK_ge00 -j= MARK --set-xmark 0x2/0xff
-A QOS_MARK_ge00 -m dscp --dscp 0x08 -= j MARK --set-xmark 0x3/0xff
-A QOS_MARK_ge00 -m dscp --dscp 0x30 = -j MARK --set-xmark 0x1/0xff
-A QOS_MARK_ge00 -m dscp --dscp 0x2e= -j MARK --set-xmark 0x1/0xff
-A QOS_MARK_ge00 -m dscp --dscp 0x2= 4 -j MARK --set-xmark 0x1/0xff
-A QOS_MARK_ge00 -m tos --tos 0x10= /0x3f -j MARK --set-xmark 0x1/0xff
-A mssfix -o ge00 -p tcp -m tc= p --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j= TCPMSS --clamp-mss-to-pmtu
###############################= ######################################################################
<= /div>

I've inserted my custom --set-dscp user create= d chains into PREROUTING and POSTROUTING, which I excluded from the above b= ut I still don't understand what exactly these marks are doing, even af= ter reading the documentation. It seems like it's still replacing DSCP = from what I can tell.

------
Also, anoth= er unrelated question regarding queue buffers;

All= my ifconfig interfaces show=C2=A0txqueuelen:1000 except for ifb4ge00 and i= fb4gw00, both of which I have SQM rate limiting on. wasn't this suppose= d to be tweaked by debloat scripts? /etc/config/debloat says obsoleted by= =C2=A0/etc/hotplug.d/iface/02-debloat but that file is empty.=C2=A0

uci seems to show the txqueuelen options disabled. Did so= mething change, are these not needed anymore, or did I screw up a config so= mewhere?
=C2=A0# uci show | grep debloat
debloat.@= wireless[0]=3Dwireless
debloat.@wireless[0].txqueuelen=3D4
<= div>debloat.@wirelessn[0]=3Dwirelessn
debloat.@wirelessn[0].txque= uelen=3D16
debloat.@wired10[0]=3Dwired10
debloat.@wired= 10[0].txqueuelen=3D4
debloat.@wired100[0]=3Dwired100
de= bloat.@wired100[0].txqueuelen=3D16
debloat.@wired1000[0]=3Dwired1= 000
debloat.@wired1000[0].txqueuelen=3D32
uci: Entry no= t found


Thanks for your time,= and my apologies if these questions seem dumb or regarded as unnecessary m= ailing list spam - I'm still learning and tweaking things. I do my best= to search the wikis and google before asking here.






--001a113dd424264b4f05139b4e2b--