[Cake] act_connmark + dscp

Toke Høiland-Jørgensen toke at redhat.com
Fri Mar 8 06:28:09 EST 2019


Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk> writes:

> On its own I don’t think that would work for ingress traffic -
> iptables happens too late. So on planet Kevin I still need some sort
> of flag held in the fwmark that says ‘I hold a DSCP value’ so cake can
> use it and act_connmarkdscp can (optionally) restore it to the
> diffserv field.
>
> I suspect we’re going around in circles around what I would like which
> is “a bit DSCP fuzzy but lighter on CPU ‘cos I don’t have to hit
> iptables mangle rules as much” v what I think you would like is
> ’update the fwmark DSCP every time but that also requires iptables to
> mangle the DSCP for every packet’

Well I think my problem is that I don't really have a use case for this
myself. So I need to understand your use case better in order to have an
opinion on how best to implement it so that:

1. We can accommodate what you are trying to do

and

2. We can also accommodate other related use cases, and we don't set
   policy in the kernel.

In particular, requirement 2 is why I'm pushing back against hard-coding
a mask anywhere...

So could you maybe post your current ruleset and explain what it is you
are trying to achieve at a high level, and why? :)

Also, you keep mentioning "must be lighter on CPU". Do you have any
performance numbers to show the impact of your current ruleset? Would be
easier to assess any performance impact if we have some baseline numbers
to compare against...

-Toke


More information about the Cake mailing list