[Cake] dscp & tunneling

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Thu Dec 10 07:35:41 EST 2015

On 10/12/15 12:22, Dave Taht wrote:
> On Thu, Dec 10, 2015 at 1:09 PM, Kevin Darbyshire-Bryant
> <kevin at darbyshire-bryant.me.uk> wrote:
>> the same test shows all those flows going in the best effort tin and
>> nothing being split out according to dscp.  Things are split out
>> correctly with ipv4.  Assuming that my installation of flent is doing
>> the right thing (putting dscp on its outbound ipv6 packets) and knowing
>> that both flent & cake handle the ipv4 version of the test correctly and
>> that by the time 'cake' sees my tunnel it's all ipv4 outer packets
>> anyway, this suggests dscp from inner ipv6 to outer ipv4 isn't taking
>> place, at least for 6in4 'sit' tunnels :-(
> Wireshark is your friend here.
I shall befriend it once again :-)
> It would not surprise me if dscp inherit had broken again, or, it was
> borked on decapsulation. Not a widely tested feature, that.
I'm only 'testing' the encapsulation side...ipv6 into router, router
encapsulates into ipv6, cake then sits across 'eth0' the Internet facing
interface and isn't classifying the flows - and I swear this used to work.
> I remember making it work several years ago, remember sort of seeing
> the patches go upstream somewhere.... it was a long time ago.
Is there anyone lurking on this list, with the time, who can help me
with net/ipv6/sit.c?

It looks like this is the relevant area:  Need to see what
INET_ECN_encapsulate does (and where tos gets set)

        if (ttl == 0)
                ttl = iph6->hop_limit;
        tos = INET_ECN_encapsulate(tos, ipv6_get_dsfield(iph6));

        if (ip_tunnel_encap(skb, tunnel, &protocol, &fl4) < 0) {
                goto tx_error;

        skb_set_inner_ipproto(skb, IPPROTO_IPV6);

        err = iptunnel_xmit(NULL, rt, skb, fl4.saddr, fl4.daddr,
                            protocol, tos, ttl, df,
                            !net_eq(tunnel->net, dev_net(dev)));
        iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
        return NETDEV_TX_OK;

>>> VPNs like ipsec or openvpn are not handled this way, not enough data.
>>> Arguably you could pull apart some forms of tinc (stalled out research
>>> project) in a really sane way...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4816 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.bufferbloat.net/pipermail/cake/attachments/20151210/d734c244/attachment-0002.bin>

More information about the Cake mailing list