From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 77B3B21F259 for ; Mon, 13 Apr 2015 03:27:46 -0700 (PDT) Received: by qkgx75 with SMTP id x75so171690420qkg.1 for ; Mon, 13 Apr 2015 03:27:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=+bRvr60Pnax/R1k3Je7b+QN2ruybqJAlybU/PFotcFc=; b=g5dQXjrP1pzIWz++3QmLS5fgET1ZvYyRO7cXKsoHKS7hiyCrnArYSKwJjxZxlG+UD4 BEuUvBSFKY6ma+i3jlw7uM/a5N31PNtfV1j6WE2UvVd2b/+ajWVmfDEXH0U3bmH+e4y2 FVD2UvHL2PktjWiMxkhFxQzentFN0capQ/Z+ohjfdhIcGQsb0z9llM3vuUiXM/iBlXFC Wrg07ay0c+8v83ZP9FR30CHAZcubYX/M+gvRag3B5CIgZJgUxCMESNQRFF6VYQpy8huk 0iwSkYgtuHlTYo3PLynwGxL+fy5tNue/yiUIdkwvv7Hs2EeU07ioCOn8UgIeyN0HYfV6 /SrQ== X-Received: by 10.182.130.166 with SMTP id of6mr11686851obb.53.1428920860503; Mon, 13 Apr 2015 03:27:40 -0700 (PDT) MIME-Version: 1.0 Sender: white.phoenix@gmail.com Received: by 10.202.188.8 with HTTP; Mon, 13 Apr 2015 03:27:10 -0700 (PDT) In-Reply-To: References: From: leetminiwheat Date: Mon, 13 Apr 2015 06:27:10 -0400 X-Google-Sender-Auth: 2QKoZVmIpERHEMTjNsD0kLP1npk Message-ID: To: Sebastian Moeller Content-Type: multipart/alternative; boundary=e89a8f503a5c4d779405139890b2 Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] squash/ignore DSCP and mangle table questions X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2015 10:28:14 -0000 --e89a8f503a5c4d779405139890b2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks for the reply, On Mon, Apr 13, 2015 at 3:36 AM, Sebastian Moeller wrote: > "Ignore DSCP on ingress=E2=80=9D, this basically uses an 1-tier H= TB shaper on ingress, DSCP marks in the packets are simply ignored, but not touched. So if I understand this correctly, this means they're kind of in passthrough mode on ignore but the qdiscs don't act on them due to no iptables MARKing? And If *not* ignoring DSCP on ingress, they're still passed through untouched but prioritized internally with the qdiscs? > "Squash DSCP on inbound packets (ingress):=E2=80=9D this will rep= lace all DSCP marks with 0x0 (I believe), but only after the ingress qdisc. > In essence this means you can actually interpret ingress DSCP marks from upstream ("Ignore DSCP on ingress=E2=80=9D set to ALLOW) but wipe them afte= r the ingress shaping (with "Squash DSCP on inbound packets (ingress);=E2=80=9D a= ctive). So the default should be =E2=80=9CIgnore DSCP on ingress=E2=80=9D and Squas= h (the second can be argued, as long as no one bases routing decisions on the marks they do not hurt). The rest of your questions are beyond my expertise... Hmm, why would we want to remove all DSCP on output then? I assume many ISPs and routers will squash them anyways, but wouldn't it serve *some* purpose to differentiate between different traffic types? Also, regarding my mangling questions I think I figured out the correct chains to insert my rules in. mangle PREROUTING and mangle POSTROUTING because both of those have a jump at the end to a chain that MARKs for qdiscs based on DSCP values. They appear to be working since I see the MARK rules counting upward. I assume PRE and POST go through FORWARD anyways so it's redundant, and using FORWARD only didn't appear to be working. I've ended up with this: # Mangle sw10 packets to reclassify mumble traffic. Hopefully this passes through DSCP so WMM can recognize 0x2e as VoIP traffic iptables -t mangle -N RECLASS_sw10 iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --sport 6484 -j DSCP --set-dscp 0x2e iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --dport 6484 -j DSCP --set-dscp 0x2e iptables -t mangle -A RECLASS_sw10 -p udp -m udp --sport 6484 -j DSCP --set-dscp 0x2e iptables -t mangle -A RECLASS_sw10 -p udp -m udp --dport 6484 -j DSCP --set-dscp 0x2e iptables -t mangle -I PREROUTING -i sw10 -j RECLASS_sw10 iptables -t mangle -I POSTROUTING -o sw10 -j RECLASS_sw10 # Mangle gw00 to reclassify guest as low priority iptables -t mangle -N RECLASS_gw00 iptables -t mangle -A RECLASS_gw00 -j DSCP --set-dscp 0x08 iptables -t mangle -I PREROUTING -i gw00 -j RECLASS_gw00 iptables -t mangle -I POSTROUTING -o gw00 -j RECLASS_gw00 However, I'm not sure how the port specific rules handle RELATED,ESTABLISHED because I believe the initial connection is done on port 6484 but then it uses a random high port. I'm not sure how I could add a RELATED,ESTABLISHED match to connections on port 6484 to my custom zone that reclassifies to 0x2e to catch *all* traffic related to it. --e89a8f503a5c4d779405139890b2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks for the reply,


On Mon, Apr 13, 20= 15 at 3:36 AM, Sebastian Moeller <moe= ller0@gmx.de> wrote:

> =C2=A0 =C2=A0 =C2=A0 =C2=A0 "I= gnore DSCP on ingress=E2=80=9D, this basically uses an 1-tier HTB shaper on= ingress, DSCP marks in the packets are simply ignored, but not touched.
So if I understand this correctly, this means they're = kind of in passthrough mode on ignore but the qdiscs don't act on them = due to no iptables MARKing? And If *not* ignoring DSCP on ingress, they'= ;re still passed through untouched but prioritized internally with the qdis= cs?

> =C2=A0 =C2=A0 =C2=A0 =C2=A0 "Squash DSCP on inb= ound packets (ingress):=E2=80=9D this will replace all DSCP marks with 0x0 = (I believe), but only after the ingress qdisc.
> In essence this mean= s you can actually interpret ingress DSCP marks from upstream ("Ignore= DSCP on ingress=E2=80=9D set to ALLOW) but wipe them after the ingress sha= ping (with "Squash DSCP on inbound packets (ingress);=E2=80=9D active)= . So the default should be =E2=80=9CIgnore DSCP on ingress=E2=80=9D and Squ= ash (the second can be argued, as long as no one bases routing decisions on= the marks they do not hurt). The rest of your questions are beyond my expe= rtise...

Hmm, why would we want to remove all DSCP= on output then? I assume many ISPs and routers will squash them anyways, b= ut wouldn't it serve *some* purpose to differentiate between different = traffic types?


Also, regarding my m= angling questions I think I figured out the correct chains to insert my rul= es in. mangle PREROUTING and mangle POSTROUTING because both of those have = a jump at the end to a chain that MARKs for qdiscs based on DSCP values. Th= ey appear to be working since I see the MARK rules counting upward. I assum= e PRE and POST go through FORWARD anyways so it's redundant, and using = FORWARD only didn't appear to be working. I've ended up with this:<= /div>

# Mangle sw10 packets to reclassify mumble tr= affic. Hopefully this passes through DSCP so WMM can recognize 0x2e as VoIP= traffic
iptables -t mangle -N RECLASS_sw10
iptables -t= mangle -A RECLASS_sw10 -p tcp -m tcp --sport 6484 =C2=A0-j DSCP --set-dscp= 0x2e
iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --dport 64= 84 =C2=A0-j DSCP --set-dscp 0x2e
iptables -t mangle -A RECLASS_sw= 10 -p udp -m udp --sport 6484 -j DSCP --set-dscp 0x2e
iptables -t= mangle -A RECLASS_sw10 -p udp -m udp --dport 6484 -j DSCP --set-dscp 0x2e<= /div>
iptables -t mangle -I PREROUTING -i sw10 -j RECLASS_sw10
iptables -t mangle -I POSTROUTING -o sw10 -j RECLASS_sw10

<= /div>
# Mangle gw00 to reclassify guest as low priority
iptab= les -t mangle -N RECLASS_gw00
iptables -t mangle -A RECLASS_gw00 = -j DSCP --set-dscp 0x08
iptables -t mangle -I PREROUTING -i gw00 = -j RECLASS_gw00
iptables -t mangle -I POSTROUTING -o gw00 -j RECL= ASS_gw00


However, I'm not sure = how the port specific rules handle RELATED,ESTABLISHED because I believe th= e initial connection is done on port 6484 but then it uses a random high po= rt. I'm not sure how I could add a RELATED,ESTABLISHED match to connect= ions on port 6484 to my custom zone that reclassifies to 0x2e to catch *all= * traffic related to it.

--e89a8f503a5c4d779405139890b2--