[Cake] Ingress classification

Toke Høiland-Jørgensen toke at redhat.com
Wed Feb 6 08:54:14 EST 2019

Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk> writes:

>> On 5 Feb 2019, at 13:38, John Sager <john at sager.me.uk> wrote:
>> As you say, an unsolicited incoming packet doesn't get marked. However it
>> creates a conntrack record with zero mark. What you then do is to mark the
>> conntrack record later so that all subsequent packets on that connection get
>> marked by 'action connmark'. So the first packet gets classified on ifb to
>> some low priority queue, but subsequent ones go where they should.
>> I do this for incoming ssh and VPN connections, though I'm using
>> htb/fq_codel rather than cake at the moment.
> Thank you John, that has confirmed my understanding that in essence
> it’s not possible in linux to mangle/mark the first packet on ingress
> and you ideally need the DSCP to be correct.

Not with iptables, but you can do it with tc filters. Either by writing
a BPF filter, or by using the pedit action (which actually changes bytes
in the packet unlike skbedit).


More information about the Cake mailing list