Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

> On 23 May 2018, at 23:40, Toke Høiland-Jørgensen wrote: > > > Hmm, and we still have an issue with ingress filtering (where cake is > running on an ifb interface). That runs pre-NAT in the conntrack case, > and we can't do the RX trick. Here we do the lookup manually in > conntrack (and thi

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

Pablo Neira Ayuso writes: > On Tue, May 22, 2018 at 04:11:06PM +0200, Toke Høiland-Jørgensen wrote: >> Pablo Neira Ayuso writes: >> >> > Hi Toke, >> > >> > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: >> >> When CAKE is deployed on a gateway that also performs NAT (wh

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

On Tue, May 22, 2018 at 04:11:06PM +0200, Toke Høiland-Jørgensen wrote: > Pablo Neira Ayuso writes: > > > Hi Toke, > > > > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: > >> When CAKE is deployed on a gateway that also performs NAT (which is a > >> common deployment mode

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

David Miller writes: > From: Toke Høiland-Jørgensen > Date: Wed, 23 May 2018 23:05:16 +0200 > >> Ah, right, that could work. Is there any particular field in sk_buff >> we should stomp on for this purpose, or would you prefer a new one? >> Looking through it, the only obvious one that comes to m

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

From: Toke Høiland-Jørgensen Date: Wed, 23 May 2018 23:05:16 +0200 > Ah, right, that could work. Is there any particular field in sk_buff > we should stomp on for this purpose, or would you prefer a new one? > Looking through it, the only obvious one that comes to mind is, well, > skb->_nfct :) >

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

David Miller writes: > From: Toke Høiland-Jørgensen > Date: Wed, 23 May 2018 22:38:30 +0200 > >> How would this work? > > On egress the core networking flow dissector records what you need > somewhere in SKB or wherever. You later retrieve it at egress time > after NAT has occurred. Ah, right,

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

From: Toke Høiland-Jørgensen Date: Wed, 23 May 2018 22:38:30 +0200 > How would this work? On egress the core networking flow dissector records what you need somewhere in SKB or wherever. You later retrieve it at egress time after NAT has occurred. > It's about making sure the per-host fairness

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

From: Jonathan Morton Date: Wed, 23 May 2018 23:33:04 +0300 > Now I'm *really* confused. > > Are you saying that the user has to set up their own conntrack > mechanism using extra userspace commands? Because complicating the > setup process that way runs directly counter to Cake's design > phil

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

David Miller writes: > From: Toke Høiland-Jørgensen > Date: Tue, 22 May 2018 15:57:38 +0200 > >> When CAKE is deployed on a gateway that also performs NAT (which is a >> common deployment mode), the host fairness mechanism cannot distinguish >> internal hosts from each other, and so fails to wor

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

> On 23 May, 2018, at 11:04 pm, David Miller wrote: > > Who said anything about using an ingress qdisc to record/remember > this information? Now I'm *really* confused. Are you saying that the user has to set up their own conntrack mechanism using extra userspace commands? Because complicatin

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

From: Jonathan Morton Date: Wed, 23 May 2018 22:31:53 +0300 > Remember that it takes two different qdiscs to implement ingress and > egress on the same physical interface, and there's no obvious > logical link between them - especially since the ingress one has to > be attached to an ifb, not to

Re: [Cake] [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

> On 23 May, 2018, at 9:44 pm, David Miller wrote: > > I'd much rather you do something NAT method agnostic, like save > or compute the necessary information on ingress and then later > use it on egress. We were under the impression that conntrack was the cleanest and most correct way to convey

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

From: Toke Høiland-Jørgensen Date: Tue, 22 May 2018 15:57:38 +0200 > When CAKE is deployed on a gateway that also performs NAT (which is a > common deployment mode), the host fairness mechanism cannot distinguish > internal hosts from each other, and so fails to work correctly. > > To fix this,

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

Pablo Neira Ayuso writes: > Hi Toke, > > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: >> When CAKE is deployed on a gateway that also performs NAT (which is a >> common deployment mode), the host fairness mechanism cannot distinguish >> internal hosts from each other, a

Re: [PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

Hi Toke, On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote: > When CAKE is deployed on a gateway that also performs NAT (which is a > common deployment mode), the host fairness mechanism cannot distinguish > internal hosts from each other, and so fails to work correctly. > >

[PATCH net-next v15 4/7] sch_cake: Add NAT awareness to packet classifier

When CAKE is deployed on a gateway that also performs NAT (which is a common deployment mode), the host fairness mechanism cannot distinguish internal hosts from each other, and so fails to work correctly. To fix this, we add an optional NAT awareness mode, which will query the kernel conntrack me