[Cake] Ingress classification

Stephen Hemminger stephen at networkplumber.org
Wed Feb 6 11:19:22 EST 2019

On Wed, 6 Feb 2019 12:52:22 +0000
Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk> wrote:

> > On 5 Feb 2019, at 13:38, John Sager <john at sager.me.uk> wrote:
> > 
> > As you say, an unsolicited incoming packet doesn't get marked. However it
> > creates a conntrack record with zero mark. What you then do is to mark the
> > conntrack record later so that all subsequent packets on that connection get
> > marked by 'action connmark'. So the first packet gets classified on ifb to
> > some low priority queue, but subsequent ones go where they should.
> > 
> > I do this for incoming ssh and VPN connections, though I'm using
> > htb/fq_codel rather than cake at the moment.
> >   
> Thank you John, that has confirmed my understanding that in essence it’s not possible in linux to mangle/mark the first packet on ingress and you ideally need the DSCP to be correct.
> My router threw me another curve ball in that it was classifying incoming packets correctly but outgoing acks weren’t.  Since (ingress) connmarks were based on DSCP values I really couldn’t understand how the connection had been marked correctly for ingress but the egress was wrong.
> This turned out to be fallout from openwrt’s software flow offload feature which bypasses some more of the stack.  So ingress classification was based on connmarks whilst the egress was based on DSCP and because of the flow offloading the DSCP values weren’t being mangled after the first few packets.
> At this stage I’m wondering if its possible to get tc/cake to classify egress based on connmarks instead of relying on DSCP but my tc filter syntax is failing me at the moment :-)

It is possible to use a tc ingress filter to remark DSCP.

More information about the Cake mailing list