[Cake] diffserv based on firewall mark

ching lu lsching17 at gmail.com
Wed Oct 12 04:11:14 EDT 2016

For egress, setting DSCP field should work.

iptables -> wan egress -> cake

But is it possible to set DSCP to 0x0 after cake's classification? i
do not know how ISP handle non-zero DSCP, there seems to be no
standard for this.

For ingress, DSCP field may not be set by network peer at all, and i
have multiple LAN interfaces

AFAIK, the order is "wan ingress -> ifb egress -> cake -> iptables"

The trick of setting DSCP by iptables do not work because cake comes first

On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton <chromatix99 at gmail.com> wrote:
>> On 12 Oct, 2016, at 08:52, ching lu <lsching17 at gmail.com> wrote:
>> I deprioritize bittorrent traffic by marking related connections in
>> iptables (e.g. detect by port number) and route them to corresponding
>> HTB class and qdisc.
>> How can i archive the same goal using the cake qdisc?
> Modify your iptables rules to set the DSCP rather than a kernel-internal mark.  You probably want "-j DSCP —set-dscp-class CS1”, as CS1 is the “bulk low priority” code.  Cake’s default Diffserv mode will pick that up appropriately.
> You also need to make sure Cake sees your packets *after* they’ve been through the firewall, which generally means attaching it to the egress port in each direction, not the ingress port.  You’ve probably already done this, if you’re happy with your HTB setup.
> If you have multiple LAN interfaces (eg, both Ethernet and wifi), you should loop the inbound traffic through a common IFB device (and attach Cake to that instead of the physical interfaces) to simplify configuration.
>  - Jonathan Morton

More information about the Cake mailing list