[Cake] act_conndscp

Ryan Mounce ryan at mounce.com.au
Tue Mar 19 23:31:26 EDT 2019


On Wed, 20 Mar 2019 at 07:57, Kevin Darbyshire-Bryant
<kevin at darbyshire-bryant.me.uk> wrote:
>
>
>
> > On 19 Mar 2019, at 21:24, Ryan Mounce <ryan at mounce.com.au> wrote:
> >
> > Hi Kevin,
> >
> > I've finally applied your patches, compiled, and flashed on my router.
> > Could you share your tc filter action for conndscp to get me started?
>
> Ahh! Ooops yes knew I forgot something - here’s my hacked up sqm-scripts/my_layer_cake.qos

Okay... I've just spent far longer than I'd like to admit relearning
the basics of tc filter in order to minify my scripts, but everything
is working now. See attached for my usage. I'm back to using the
Turris Omnia which has more than enough grunt to handle my 100/40
link, so I haven't put much thought into optimisation.

The only gotcha I ran into with your patch is the explanation

> MODE get (typically ingress) set (typically egress)

This is backwards, but it's confusing anyway. 'get' also sets bits in
the connmark while 'set' also gets bits from the connmark.

I'd suggest changing 'get' to 'save', and 'set' to 'restore'.
-------------- next part --------------
# /etc/rc.local

# EGRESS
tc qdisc del dev eth2 root
tc qdisc replace dev eth2 root handle 1111: cake \
	dual-srchost nat fwmark 0x03 wash ack-filter oceanic mpu 64 overhead 26 bandwidth 40Mbit
tc -s qdisc show dev eth2

tc filter del dev eth2 parent 1111:
tc filter replace dev eth2 parent 1111: matchall action \
	conndscp mask 0xfc000000 statemask 0x01000000 mode get
tc -s filter show dev eth2 parent 1111:


# INGRESS
ip link add name ibe2 type ifb
ip link set dev ibe2 up

tc qdisc del dev ibe2 root
tc qdisc replace dev ibe2 root cake \
	ingress dual-dsthost nat fwmark 0x03 ack-filter oceanic mpu 64 overhead 26 bandwidth 99Mbit
tc -s qdisc show dev ibe2

tc qdisc del dev eth2 ingress
tc qdisc replace dev eth2 ingress handle ffff:

tc filter del dev eth2 parent ffff:
tc filter replace dev eth2 parent ffff: matchall action \
	connmark \
	conndscp mask 0xfc000000 statemask 0x01000000 mode set \
	mirred egress redirect dev ibe2
tc -s filter show dev eth2 parent ffff:



# /etc/firewall.user

iptables  -t mangle -N mangle_forward_eth2
ip6tables -t mangle -N mangle_forward_eth2

iptables  -t mangle -A mangle_forward_eth2 -j CONNMARK --restore-mark --ctmask 0x03
ip6tables -t mangle -A mangle_forward_eth2 -j CONNMARK --restore-mark --ctmask 0x03
iptables  -t mangle -A mangle_forward_eth2 -m mark ! --mark 0 -j RETURN
ip6tables -t mangle -A mangle_forward_eth2 -m mark ! --mark 0 -j RETURN

# Put all traffic to/from this host in cake's bulk tin
iptables  -t mangle -A mangle_forward_eth2 -m mac --mac-source 01:23:45:67:89:ab -j MARK --set-mark 1
ip6tables -t mangle -A mangle_forward_eth2 -m mac --mac-source 01:23:45:67:89:ab -j MARK --set-mark 1

iptables  -t mangle -A mangle_forward_eth2 -m mark --mark 0 -j RETURN
ip6tables -t mangle -A mangle_forward_eth2 -m mark --mark 0 -j RETURN
iptables  -t mangle -A mangle_forward_eth2 -j CONNMARK --save-mark --ctmask 0x03 --nfmask 0x03
ip6tables -t mangle -A mangle_forward_eth2 -j CONNMARK --save-mark --ctmask 0x03 --nfmask 0x03

iptables  -t mangle -A FORWARD -o eth2 -j mangle_forward_eth2
ip6tables -t mangle -A FORWARD -o eth2 -j mangle_forward_eth2


More information about the Cake mailing list