[Cake] diffserv based on firewall mark

ching lu lsching17 at gmail.com
Wed Oct 12 06:17:04 EDT 2016 

2016年10月12日 下午6:05,"moeller0" <moeller0 at gmx.de>寫道:
>
> Hi Ching,
>
> > On Oct 12, 2016, at 11:35 , ching lu <lsching17 at gmail.com> wrote:
> >
> > How to archive "cake follows iptables"? is it “wan ingress -> iptables
>
> Yes.
>
> > -> wifi egress/LAN egress -> ifb egress -> cake”?
>
>         Except that if you instantiate cake on the interface connecting
to the outers LAN/WLAN side (lets call this LAN for short), cake will
reside on that interfaces egress and hence you require no ifb for traffic
coming in from the internet (as a plus cake will even without the fancy new
deNAT options see the full intrnal IP addresses, useful for dual and triple
isolation options). In the direction facing the internet you can
instantiate cake on an ifb interface for LAN and then put the iptables DSCP
cleaner on the WAN egress side (and the WAN ingress side, unless you trust
your ISP to deliver reasonable DSCP values, which should be like never*)

The bandwidth shaper won't work correctly if cake(s) are registered on
multiple LAN interface, ifb is necessary

e.g. if ingress bandwidth limit is 100M, then setting 50M on wifi, and 50M
on LAN ?

I think the diffserv support of cake model is not suitable for home network
currently. The setup is much more complex


>
> Best Regards
>         Sebastian
>
> 8) DSCP are only ever guranteed to be meaninful inside a dscp domain, and
in reality your home net is a different domain from the ISP’s. It would
have been nice if the DSCP field would have been separeted into 2 3bit
fields, the first for the actual sender to request one of 8 differential
classes and the other 3bits for the current domain to store its actually
used DSCP bits. I claim the 3 bits should be enough for anybody  ;)
>
>
> >
> >
> > On Wed, Oct 12, 2016 at 5:10 PM, moeller0 <moeller0 at gmx.de> wrote:
> >> Hi,
> >>
> >>
> >>> On Oct 12, 2016, at 10:11 , ching lu <lsching17 at gmail.com> wrote:
> >>>
> >>> For egress, setting DSCP field should work.
> >>>
> >>> iptables -> wan egress -> cake
> >>>
> >>> But is it possible to set DSCP to 0x0 after cake's classification? i
> >>> do not know how ISP handle non-zero DSCP, there seems to be no
> >>> standard for this.
> >>
> >>        Interestingly cake, at some point in the past offered exactly
that functionality, but it got removed due to added complexity with very
little practical applicability (and a potential layering violation, but one
could equally argue that the current layering is partly sub-optimal/wrong
and hence violating it to better reflect reality might be acceptable). But
current cake does not offer this. If you are willing to daisy-chain two
routers, you could run cake on the respective egress interfaces connecting
both routers, and do the DSCP cleaning on the outer router’s egress
interface toward the internet…
> >>
> >>>
> >>>
> >>> For ingress, DSCP field may not be set by network peer at all, and i
> >>> have multiple LAN interfaces
> >>>
> >>> AFAIK, the order is "wan ingress -> ifb egress -> cake -> iptables"
> >>>
> >>> The trick of setting DSCP by iptables do not work because cake comes
first
> >>
> >>        Hence Jonathan’s recommendation to make sure that cake follows
iptables, by setting it up on egress interfaces only…
> >>
> >> Best Regards
> >>        Sebastian
> >>
> >>>
> >>> On Wed, Oct 12, 2016 at 3:26 PM, Jonathan Morton <
chromatix99 at gmail.com> wrote:
> >>>>
> >>>>> On 12 Oct, 2016, at 08:52, ching lu <lsching17 at gmail.com> wrote:
> >>>>>
> >>>>> I deprioritize bittorrent traffic by marking related connections in
> >>>>> iptables (e.g. detect by port number) and route them to
corresponding
> >>>>> HTB class and qdisc.
> >>>>>
> >>>>> How can i archive the same goal using the cake qdisc?
> >>>>
> >>>> Modify your iptables rules to set the DSCP rather than a
kernel-internal mark.  You probably want "-j DSCP —set-dscp-class CS1”, as
CS1 is the “bulk low priority” code.  Cake’s default Diffserv mode will
pick that up appropriately.
> >>>>
> >>>> You also need to make sure Cake sees your packets *after* they’ve
been through the firewall, which generally means attaching it to the egress
port in each direction, not the ingress port.  You’ve probably already done
this, if you’re happy with your HTB setup.
> >>>>
> >>>> If you have multiple LAN interfaces (eg, both Ethernet and wifi),
you should loop the inbound traffic through a common IFB device (and attach
Cake to that instead of the physical interfaces) to simplify configuration.
> >>>>
> >>>> - Jonathan Morton
> >>>>
> >>> _______________________________________________
> >>> Cake mailing list
> >>> Cake at lists.bufferbloat.net
> >>> https://lists.bufferbloat.net/listinfo/cake
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cake/attachments/20161012/e3c0f8e5/attachment.html>

More information about the Cake mailing list