Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread Kevin Darbyshire-Bryant via Cake
--- Begin Message --- > On 23 May 2018, at 23:40, Toke Høiland-Jørgensen wrote: > > > Hmm, and we still have an issue with ingress filtering (where cake is > running on an ifb interface). That runs pre-NAT in the conntrack case, > and we can't do the RX trick. Here we do the

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread Toke Høiland-Jørgensen
Pablo Neira Ayuso writes: > On Tue, May 22, 2018 at 04:11:06PM +0200, Toke Høiland-Jørgensen wrote: >> Pablo Neira Ayuso writes: >> >> > Hi Toke, >> > >> > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: >> >> When CAKE is

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread Pablo Neira Ayuso
On Tue, May 22, 2018 at 04:11:06PM +0200, Toke Høiland-Jørgensen wrote: > Pablo Neira Ayuso writes: > > > Hi Toke, > > > > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: > >> When CAKE is deployed on a gateway that also performs NAT (which is a > >>

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread Toke Høiland-Jørgensen
David Miller writes: > From: Toke Høiland-Jørgensen > Date: Wed, 23 May 2018 23:05:16 +0200 > >> Ah, right, that could work. Is there any particular field in sk_buff >> we should stomp on for this purpose, or would you prefer a new one? >> Looking through it,

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread Toke Høiland-Jørgensen
David Miller writes: > From: Toke Høiland-Jørgensen > Date: Wed, 23 May 2018 22:38:30 +0200 > >> How would this work? > > On egress the core networking flow dissector records what you need > somewhere in SKB or wherever. You later retrieve it at egress time >

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread David Miller
From: Toke Høiland-Jørgensen Date: Wed, 23 May 2018 22:38:30 +0200 > How would this work? On egress the core networking flow dissector records what you need somewhere in SKB or wherever. You later retrieve it at egress time after NAT has occurred. > It's about making sure the

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread David Miller
From: Jonathan Morton Date: Wed, 23 May 2018 23:33:04 +0300 > Now I'm *really* confused. > > Are you saying that the user has to set up their own conntrack > mechanism using extra userspace commands? Because complicating the > setup process that way runs directly counter

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread Toke Høiland-Jørgensen
David Miller writes: > From: Toke Høiland-Jørgensen > Date: Tue, 22 May 2018 15:57:38 +0200 > >> When CAKE is deployed on a gateway that also performs NAT (which is a >> common deployment mode), the host fairness mechanism cannot distinguish >> internal hosts

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread Jonathan Morton
> On 23 May, 2018, at 11:04 pm, David Miller wrote: > > Who said anything about using an ingress qdisc to record/remember > this information? Now I'm *really* confused. Are you saying that the user has to set up their own conntrack mechanism using extra userspace

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread David Miller
From: Jonathan Morton Date: Wed, 23 May 2018 22:31:53 +0300 > Remember that it takes two different qdiscs to implement ingress and > egress on the same physical interface, and there's no obvious > logical link between them - especially since the ingress one has to > be

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-23 Thread David Miller
From: Toke Høiland-Jørgensen Date: Tue, 22 May 2018 15:57:38 +0200 > When CAKE is deployed on a gateway that also performs NAT (which is a > common deployment mode), the host fairness mechanism cannot distinguish > internal hosts from each other, and so fails to work correctly. >

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-22 Thread Toke Høiland-Jørgensen
Pablo Neira Ayuso writes: > Hi Toke, > > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: >> When CAKE is deployed on a gateway that also performs NAT (which is a >> common deployment mode), the host fairness mechanism cannot distinguish >> internal

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-22 Thread Pablo Neira Ayuso
Hi Toke, On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: > When CAKE is deployed on a gateway that also performs NAT (which is a > common deployment mode), the host fairness mechanism cannot distinguish > internal hosts from each other, and so fails to work correctly. > >

[Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

2018-05-22 Thread Toke Høiland-Jørgensen
When CAKE is deployed on a gateway that also performs NAT (which is a common deployment mode), the host fairness mechanism cannot distinguish internal hosts from each other, and so fails to work correctly. To fix this, we add an optional NAT awareness mode, which will query the kernel conntrack