From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vn0-x22b.google.com (mail-vn0-x22b.google.com [IPv6:2607:f8b0:400c:c0f::22b]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8263B21F2B9 for ; Mon, 13 Apr 2015 03:36:59 -0700 (PDT) Received: by vnbf1 with SMTP id f1so18176403vnb.0 for ; Mon, 13 Apr 2015 03:36:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=9PySSSEbks4LjkvuDZ8p/nI2Nr6DfPLGuB9z9BGDotQ=; b=bJ+e35r+LxPIcKcjzkY0aBFZ5iWhSrqVjs61Uox31kUgJ9FlXvL2l67HGE8rziOZGy pd9luFtOhhFiwXvXZwi0P+w/5iN8z/HX5aqNw/XwnpMNYviT1C5AVb6LrS1+1LQN74wE vpC///+cRgjT0s0YoJJzIRlHCw46jH+9stq3Enk2RQ2KOH0R76HLLSMSXx/o1xm23FDn 136zioYc4aRzTalet/o8/MIKvkmGUtLfnPrv5tbm+tNMKrJyrSZ7+Ve8VfL/mqkmxKPD oEg5ZVTzuZXAVu4IHqs4sJnWkNNcdXXQkMljIsFrd64vpT7SlSHOd1dS9ruxEsSqyKN1 Z7Zw== X-Received: by 10.60.39.65 with SMTP id n1mr11495566oek.31.1428921417533; Mon, 13 Apr 2015 03:36:57 -0700 (PDT) MIME-Version: 1.0 Sender: white.phoenix@gmail.com Received: by 10.202.188.8 with HTTP; Mon, 13 Apr 2015 03:36:27 -0700 (PDT) In-Reply-To: References: From: leetminiwheat Date: Mon, 13 Apr 2015 06:36:27 -0400 X-Google-Sender-Auth: wBHWV-tpkGhGTQ_WbjgKLfrAye4 Message-ID: To: Sebastian Moeller Content-Type: multipart/alternative; boundary=089e013d085a810f13051398b1f2 Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] squash/ignore DSCP and mangle table questions X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2015 10:37:27 -0000 --089e013d085a810f13051398b1f2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Actually I think I figured out the last part, iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --sport 6484 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --dport 6484 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e iptables -t mangle -A RECLASS_sw10 -p udp -m udp --sport 6484 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e iptables -t mangle -A RECLASS_sw10 -p udp -m udp --dport 6484 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e Probably not a good idea to do conntracking here, but it should only be matching that specific interface and port anyways. On Mon, Apr 13, 2015 at 6:27 AM, leetminiwheat wrote: > Thanks for the reply, > > > On Mon, Apr 13, 2015 at 3:36 AM, Sebastian Moeller > wrote: > > > "Ignore DSCP on ingress=E2=80=9D, this basically uses an 1-tier= HTB > shaper on ingress, DSCP marks in the packets are simply ignored, but not > touched. > > So if I understand this correctly, this means they're kind of in > passthrough mode on ignore but the qdiscs don't act on them due to no > iptables MARKing? And If *not* ignoring DSCP on ingress, they're still > passed through untouched but prioritized internally with the qdiscs? > > > "Squash DSCP on inbound packets (ingress):=E2=80=9D this will r= eplace > all DSCP marks with 0x0 (I believe), but only after the ingress qdisc. > > In essence this means you can actually interpret ingress DSCP marks fro= m > upstream ("Ignore DSCP on ingress=E2=80=9D set to ALLOW) but wipe them af= ter the > ingress shaping (with "Squash DSCP on inbound packets (ingress);=E2=80=9D= active). > So the default should be =E2=80=9CIgnore DSCP on ingress=E2=80=9D and Squ= ash (the second > can be argued, as long as no one bases routing decisions on the marks the= y > do not hurt). The rest of your questions are beyond my expertise... > > Hmm, why would we want to remove all DSCP on output then? I assume many > ISPs and routers will squash them anyways, but wouldn't it serve *some* > purpose to differentiate between different traffic types? > > > Also, regarding my mangling questions I think I figured out the correct > chains to insert my rules in. mangle PREROUTING and mangle POSTROUTING > because both of those have a jump at the end to a chain that MARKs for > qdiscs based on DSCP values. They appear to be working since I see the MA= RK > rules counting upward. I assume PRE and POST go through FORWARD anyways s= o > it's redundant, and using FORWARD only didn't appear to be working. I've > ended up with this: > > # Mangle sw10 packets to reclassify mumble traffic. Hopefully this passes > through DSCP so WMM can recognize 0x2e as VoIP traffic > iptables -t mangle -N RECLASS_sw10 > iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --sport 6484 -j DSCP > --set-dscp 0x2e > iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --dport 6484 -j DSCP > --set-dscp 0x2e > iptables -t mangle -A RECLASS_sw10 -p udp -m udp --sport 6484 -j DSCP > --set-dscp 0x2e > iptables -t mangle -A RECLASS_sw10 -p udp -m udp --dport 6484 -j DSCP > --set-dscp 0x2e > iptables -t mangle -I PREROUTING -i sw10 -j RECLASS_sw10 > iptables -t mangle -I POSTROUTING -o sw10 -j RECLASS_sw10 > > # Mangle gw00 to reclassify guest as low priority > iptables -t mangle -N RECLASS_gw00 > iptables -t mangle -A RECLASS_gw00 -j DSCP --set-dscp 0x08 > iptables -t mangle -I PREROUTING -i gw00 -j RECLASS_gw00 > iptables -t mangle -I POSTROUTING -o gw00 -j RECLASS_gw00 > > > However, I'm not sure how the port specific rules handle > RELATED,ESTABLISHED because I believe the initial connection is done on > port 6484 but then it uses a random high port. I'm not sure how I could a= dd > a RELATED,ESTABLISHED match to connections on port 6484 to my custom zone > that reclassifies to 0x2e to catch *all* traffic related to it. > > --089e013d085a810f13051398b1f2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Actually I think I figured out the last part,

iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --sport 6484 -= m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e
=
iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --dport 6484 -m connt= rack --ctstate NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e
ip= tables -t mangle -A RECLASS_sw10 -p udp -m udp --sport 6484 -m conntrack --= ctstate NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e
iptables = -t mangle -A RECLASS_sw10 -p udp -m udp --dport 6484 -m conntrack --ctstate= NEW,RELATED,ESTABLISHED -j DSCP --set-dscp 0x2e

=
Probably not a good idea to do conntracking here, but it should only b= e matching that specific interface and port anyways.

On Mon, Apr 13, 2015 at 6:2= 7 AM, leetminiwheat <LeetMiniWheat@gmail.com> wrote:
Thanks for the reply= ,


On Mon, Apr 13, 2015 at 3:36 AM, Sebastian = Moeller <moeller0@g= mx.de> wrote:

> =C2=A0 =C2=A0 =C2=A0 =C2=A0 "Ignore D= SCP on ingress=E2=80=9D, this basically uses an 1-tier HTB shaper on ingres= s, DSCP marks in the packets are simply ignored, but not touched.

<= /div>
So if I understand this correctly, this means they're = kind of in passthrough mode on ignore but the qdiscs don't act on them = due to no iptables MARKing? And If *not* ignoring DSCP on ingress, they'= ;re still passed through untouched but prioritized internally with the qdis= cs?

> =C2=A0 =C2=A0 =C2=A0 =C2=A0 "S= quash DSCP on inbound packets (ingress):=E2=80=9D this will replace all DSC= P marks with 0x0 (I believe), but only after the ingress qdisc.
> In = essence this means you can actually interpret ingress DSCP marks from upstr= eam ("Ignore DSCP on ingress=E2=80=9D set to ALLOW) but wipe them afte= r the ingress shaping (with "Squash DSCP on inbound packets (ingress);= =E2=80=9D active). So the default should be =E2=80=9CIgnore DSCP on ingress= =E2=80=9D and Squash (the second can be argued, as long as no one bases rou= ting decisions on the marks they do not hurt). The rest of your questions a= re beyond my expertise...

Hmm, why would we= want to remove all DSCP on output then? I assume many ISPs and routers wil= l squash them anyways, but wouldn't it serve *some* purpose to differen= tiate between different traffic types?


<= div>Also, regarding my mangling questions I think I figured out the correct= chains to insert my rules in. mangle PREROUTING and mangle POSTROUTING bec= ause both of those have a jump at the end to a chain that MARKs for qdiscs = based on DSCP values. They appear to be working since I see the MARK rules = counting upward. I assume PRE and POST go through FORWARD anyways so it'= ;s redundant, and using FORWARD only didn't appear to be working. I'= ;ve ended up with this:

# Mangle sw10 packets= to reclassify mumble traffic. Hopefully this passes through DSCP so WMM ca= n recognize 0x2e as VoIP traffic
iptables -t mangle -N RECLASS_sw= 10
iptables -t mangle -A RECLASS_sw10 -p tcp -m tcp --sport 6484 = =C2=A0-j DSCP --set-dscp 0x2e
iptables -t mangle -A RECLASS_sw10 = -p tcp -m tcp --dport 6484 =C2=A0-j DSCP --set-dscp 0x2e
iptables= -t mangle -A RECLASS_sw10 -p udp -m udp --sport 6484 -j DSCP --set-dscp 0x= 2e
iptables -t mangle -A RECLASS_sw10 -p udp -m udp --dport 6484 = -j DSCP --set-dscp 0x2e
iptables -t mangle -I PREROUTING -i sw10 = -j RECLASS_sw10
iptables -t mangle -I POSTROUTING -o sw10 -j RECL= ASS_sw10

# Mangle gw00 to reclassify guest as low = priority
iptables -t mangle -N RECLASS_gw00
iptables -t= mangle -A RECLASS_gw00 -j DSCP --set-dscp 0x08
iptables -t mangl= e -I PREROUTING -i gw00 -j RECLASS_gw00
iptables -t mangle -I POS= TROUTING -o gw00 -j RECLASS_gw00


Ho= wever, I'm not sure how the port specific rules handle RELATED,ESTABLIS= HED because I believe the initial connection is done on port 6484 but then = it uses a random high port. I'm not sure how I could add a RELATED,ESTA= BLISHED match to connections on port 6484 to my custom zone that reclassifi= es to 0x2e to catch *all* traffic related to it.


--089e013d085a810f13051398b1f2--