[Cake] act_connmark + dscp

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Wed Mar 6 13:40:20 EST 2019



> On 6 Mar 2019, at 15:21, Toke Høiland-Jørgensen <toke at redhat.com> wrote:
> 
> Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk> writes:
> 
>> Before I go too far down this road (and to avoid the horror of
>> actually trying to code it) here’s what I’m trying to achieve.
>> 
>> 
>> act_connmark + dscp is designed to copy a DSCP code to/from conntrack mark.  It uses 8 bits of the mark field, currently the most significant byte.
>> 
>> Bits 31-26: DSCP
>> Bit 25: Spare/Future
>> Bit 24: Valid DSCP set
>> 
>> The valid bit is set when the ‘getdscp’ function has written a DSCP
>> value into the conntrack (& hence skb) mark. This allows us & other
>> skb->mark/ct->mark applications (eg iptables, cake qdisc) to know that
>> a DSCP value has been placed in the field. We cannot simply use a
>> non-zero DSCP because zero is a valid DSCP.
> 
> If someone installs the action, the field is supposedly always copied;
> so why do we need another flag?

I’m trying to limit the number of times expensive iptables mangle rules have to run.

Egress path:

Packet comes in (internal to device or forward)
iptables mangle - check fwmark ’set’ bit
if not set
	jump to a possibly extensive set of rules that mangle the DSCP
else
do nothing

Packet arrives at act_connmark dscpset
looks at fwmark ’set’ bit
if not set
	copy DSCP to fwmark & set the ’set’ bit.
else
	do nothing
cake gets hold of it - selects a tin based on fwmark contained DSCP

Do the routine again for the next packet in the same connection and you’ll skip the iptables mangle rules but still have cake classify based on the fwmark stored DSCP.  Without that flag you’ll have to run the iptables mangle rules for every packet and update the fwmark too.


I personally think that cake should also have the fwmark/DSCP decode routine on ingress. e.g.

Ingress

Packet arrives
act_connmark restores the fwmark
if fwmark/dscp set then optionally restores diffserv from fwmark
Cake looks for fwmark/dscp set bit
if true 
	use fwmark DSCP for tin select
else
	use diffserv field as before
Cake possibly washes


Without the ’set’ bit, act_connmark has to restore the diffserv field on every (ip) packet and cake possibly has to wash it out again.



The reality is that I enjoyed doing this in the cake codebase.  I cannot say the same for act_connmark in fact I hate it so much I’m stopping.  The mental effort for a non-programmer and more importantly a non-kernel programmer is exhausting & I’m completely disillusioned.  I really need to concentrate on the job that means I can pay the mortgage, which isn’t bashing my head against the kernel.


Anyway 4 files - 2 are patches against current cake & tc and a ‘my_layer_cake’ qos script that’s ‘fwmark/cake’ aware.  4th file is the start of a hack on act_connmark.  Do with them as you will, I never want to see the last one again.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Automagically-use-update-DSCP-contained-in-fwmark.patch
Type: application/octet-stream
Size: 6679 bytes
Desc: 0001-Automagically-use-update-DSCP-contained-in-fwmark.patch
URL: <https://lists.bufferbloat.net/pipermail/cake/attachments/20190306/09b9cf26/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-tc-cake-add-fwmark-getdscp-setdscp-options.patch
Type: application/octet-stream
Size: 5830 bytes
Desc: 0001-tc-cake-add-fwmark-getdscp-setdscp-options.patch
URL: <https://lists.bufferbloat.net/pipermail/cake/attachments/20190306/09b9cf26/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: my_layer_cake.qos
Type: application/octet-stream
Size: 5131 bytes
Desc: my_layer_cake.qos
URL: <https://lists.bufferbloat.net/pipermail/cake/attachments/20190306/09b9cf26/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-start-of-act_connmark-hack.patch
Type: application/octet-stream
Size: 3387 bytes
Desc: 0001-start-of-act_connmark-hack.patch
URL: <https://lists.bufferbloat.net/pipermail/cake/attachments/20190306/09b9cf26/attachment-0007.obj>


More information about the Cake mailing list