[Cake] Ingress classification

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Wed Feb 6 07:52:22 EST 2019

> On 5 Feb 2019, at 13:38, John Sager <john at sager.me.uk> wrote:
> As you say, an unsolicited incoming packet doesn't get marked. However it
> creates a conntrack record with zero mark. What you then do is to mark the
> conntrack record later so that all subsequent packets on that connection get
> marked by 'action connmark'. So the first packet gets classified on ifb to
> some low priority queue, but subsequent ones go where they should.
> I do this for incoming ssh and VPN connections, though I'm using
> htb/fq_codel rather than cake at the moment.

Thank you John, that has confirmed my understanding that in essence it’s not possible in linux to mangle/mark the first packet on ingress and you ideally need the DSCP to be correct.

My router threw me another curve ball in that it was classifying incoming packets correctly but outgoing acks weren’t.  Since (ingress) connmarks were based on DSCP values I really couldn’t understand how the connection had been marked correctly for ingress but the egress was wrong.

This turned out to be fallout from openwrt’s software flow offload feature which bypasses some more of the stack.  So ingress classification was based on connmarks whilst the egress was based on DSCP and because of the flow offloading the DSCP values weren’t being mangled after the first few packets.

At this stage I’m wondering if its possible to get tc/cake to classify egress based on connmarks instead of relying on DSCP but my tc filter syntax is failing me at the moment :-)

Kevin D-B

012C ACB2 28C6 C53E 9775  9123 B3A2 389B 9DE2 334A

More information about the Cake mailing list