On Wed, 6 Feb 2019 12:52:22 +0000 Kevin Darbyshire-Bryant <[email protected]> wrote:
> > On 5 Feb 2019, at 13:38, John Sager <[email protected]> wrote: > > > > As you say, an unsolicited incoming packet doesn't get marked. However it > > creates a conntrack record with zero mark. What you then do is to mark the > > conntrack record later so that all subsequent packets on that connection get > > marked by 'action connmark'. So the first packet gets classified on ifb to > > some low priority queue, but subsequent ones go where they should. > > > > I do this for incoming ssh and VPN connections, though I'm using > > htb/fq_codel rather than cake at the moment. > > > > Thank you John, that has confirmed my understanding that in essence it’s not > possible in linux to mangle/mark the first packet on ingress and you ideally > need the DSCP to be correct. > > My router threw me another curve ball in that it was classifying incoming > packets correctly but outgoing acks weren’t. Since (ingress) connmarks were > based on DSCP values I really couldn’t understand how the connection had been > marked correctly for ingress but the egress was wrong. > > This turned out to be fallout from openwrt’s software flow offload feature > which bypasses some more of the stack. So ingress classification was based > on connmarks whilst the egress was based on DSCP and because of the flow > offloading the DSCP values weren’t being mangled after the first few packets. > > At this stage I’m wondering if its possible to get tc/cake to classify egress > based on connmarks instead of relying on DSCP but my tc filter syntax is > failing me at the moment :-) It is possible to use a tc ingress filter to remark DSCP. _______________________________________________ Cake mailing list [email protected] https://lists.bufferbloat.net/listinfo/cake
