search

dtaht / sch_cake

Out of tree build for the new cake qdisc
101 stars 35 forks source link

ingress trafic with fwmark not working #157

Closed didgaudin closed 1 year ago

didgaudin commented 1 year ago

Hi, I want to send flow in a specified class for a flow already having a fwmark. My filter is OK for egress traffic, but do not OK for ingress. By example with this script, i want to send packet with fwmark 0x51 to the bulk class for egress and ingress. I do not understand why the ingress use the Best Effort.

_tc qdisc replace dev ifb0 root handle 1: cake bandwidth 20mbit autorate-ingress diffserv4 nat ack-filter-aggressive regional ingress tc qdisc replace dev eth1 root handle 2: cake bandwidth 2mbit autorate-ingress diffserv4 nat ack-filter-aggressive regional ip link set ifb0 up

tc qdisc add dev eth1 handle ffff: ingress tc filter add dev eth1 parent ffff: matchall action mirred egress redirect dev ifb0

tc filter add dev eth1 pref 1 parent 2:0 handle 0x51/0x0000ffff fw action skbedit priority 2:1 tc filter add dev ifb0 pref 1 parent 1:0 handle 0x51/0x0000ffff fw action skbedit priority 1:1_

the tc -s qdisc sh dev ifb0 => no packet on Bulk

               Bulk  Best Effort        Video        Voice

thresh 5432bit 86960bit 43480bit 21736bit target 3.34s 209ms 418ms 836ms interval 6.69s 418ms 836ms 1.67s pk_delay 0us 10.8ms 0us 5.19ms av_delay 0us 1.69ms 0us 2.21ms sp_delay 0us 76us 0us 102us backlog 0b 0b 0b 0b pkts 0 7818 0 7335 bytes 0 695838 0 425964

tc -s qdisc sh dev eth1 => i have packet on Bulk

           Bulk  Best Effort        Video        Voice

thresh 112bit 1912bit 952bit 472bit target 35.5s 9.5s 19.1s 35.5s interval 71s 19s 38.2s 71s pk_delay 2.26s 4.33s 179ms 18.1s av_delay 151ms 325ms 6ms 3.37s sp_delay 49.5ms 184ms 1.06ms 68.4ms backlog 196b 993b 0b 1335b pkts 1004 40522 6273 779 bytes 98392 2753084 614754 73154

filter stats: tc -s filter sh dev ifb0 => show 0 bytes and 0 packet filter parent 1: protocol all pref 1 fw chain 0 filter parent 1: protocol all pref 1 fw chain 0 handle 0x51/0xffff 

action order 1: skbedit  priority 1:1 pipe
 index 2 ref 1 bind 1 installed 1356 sec used 1356 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
backlog 0b 0p requeues 0

and

tc -s filter sh dev eth1

filter parent 2: protocol all pref 1 fw chain 0 filter parent 2: protocol all pref 1 fw chain 0 handle 0x51/0xffff 

action order 1: skbedit  priority 2:1 pipe
 index 1 ref 1 bind 1 installed 1271 sec used 265 sec firstused 1270 sec
Action statistics:
Sent 98392 bytes 1004 pkt (dropped 0, ....

thanks for your help

tohojo commented 1 year ago

How are you setting the fwmark? IIRC, the ingress qdisc runs before netfilter gets a chance to process the packet, so any firewall rules setting marks will not have been processed at that point...

didgaudin commented 1 year ago

i use fwmark to use specific routing table ( ip rule) . all fwmark are saved into the conntrack, and restored in mangle prerouting.

tohojo commented 1 year ago

didgaudin @.***> writes:

i use fwmark to use specific routing table ( ip rule) . all fwmark are saved into the conntrack, and restored in mangle prerouting.

Right, that won't work, unfortunately; the ingress qdisc runs before the netfilter one:

https://elixir.bootlin.com/linux/latest/source/net/core/dev.c#L5353

(sch_handle_ingress is the qdisc, nf_ingress is netfilter)

didgaudin commented 1 year ago

It's a shame that cake can't, I already use the fwmarks for the ingress traffic of the HTB qdiscs, and it works well.

tohojo commented 1 year ago

didgaudin @.***> writes:

It's a shame that cake can't, I already use the fwmarks for the ingress traffic of the HTB qdiscs, and it works well.

This has nothing to do with CAKE, it's how the kernel handles the traffic. How are you setting this up for HTB if that works?

didgaudin commented 1 year ago

To send traffic to a class: tc filter replace dev ifb0 parent 1: prio 100 handle 0x93/0x0000ffff fw classid 1:7 The flow with fwmark 0x93 is send to a htb class id 1:7 by example.

didgaudin commented 1 year ago

i have found my mistake, i use a generic example with this filter action: tc filter add dev eth1 parent ffff: matchall action mirred egress redirect dev ifb0

i have replaced it by this tc filter add dev eth1 parent ffff: u32 match u32 0 0 action connmark action mirred egress redirect dev ifb0

work great!!

tohojo commented 1 year ago

didgaudin @.***> writes:

i have found my mistake, i use a generic example with this filter action: tc filter add dev eth1 parent ffff: matchall action mirred egress redirect dev ifb0

i have replaced it by this tc filter add dev eth1 parent ffff: u32 match u32 0 0 action connmark action mirred egress redirect dev ifb0

Ah! That "action connmark" restores the mark as part of the redirect, so that would explain it :)

(You can use 'matchall' instead of 'match u32 u32 0 0', as long as that action is there).

didgaudin commented 1 year ago

Thank a lot you for your answers I close the issue