Kevin Darbyshire-Bryant <[email protected]> writes: >> On 5 Feb 2019, at 13:38, John Sager <[email protected]> wrote: >> >> As you say, an unsolicited incoming packet doesn't get marked. However it >> creates a conntrack record with zero mark. What you then do is to mark the >> conntrack record later so that all subsequent packets on that connection get >> marked by 'action connmark'. So the first packet gets classified on ifb to >> some low priority queue, but subsequent ones go where they should. >> >> I do this for incoming ssh and VPN connections, though I'm using >> htb/fq_codel rather than cake at the moment. >> > > Thank you John, that has confirmed my understanding that in essence > it’s not possible in linux to mangle/mark the first packet on ingress > and you ideally need the DSCP to be correct.
Not with iptables, but you can do it with tc filters. Either by writing a BPF filter, or by using the pedit action (which actually changes bytes in the packet unlike skbedit). -Toke _______________________________________________ Cake mailing list [email protected] https://lists.bufferbloat.net/listinfo/cake
