lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 26 Mar 2020 13:50:45 +0100
From:   Toke Høiland-Jørgensen <toke@...hat.com>
To:     Philip Prindeville <philipp_subx@...fish-solutions.com>,
        netdev@...r.kernel.org
Subject: Re: Fwd: tc question about ingress bandwidth splitting

Philip Prindeville <philipp_subx@...fish-solutions.com> writes:

> Had originally posted this to LARTC but realized that “netdev” is
> probably the better forum.
>
> Was hoping someone familiar with the nuts and bolts of tc and
> scheduler minutiae could help me come up with a configuration to use
> as a starting point, then I could tweak it, gather some numbers, make
> graphs etc, and write a LARTC or LWN article around the findings.
>
> I’d be trying to do shaping in both directions. Sure, egress shaping
> is trivial and obviously works.
>
> But I was also thinking about ingress shaping on the last hop, i.e. as
> traffic flows into the last-hop CPE router, and limiting/delaying it
> so that the entire end-to-end path is appropriately perceived by the
> sender, since the effective bandwidth of a [non-multipath] route is
> the min bandwidth of all individual hops, right?

Indeed, we have been using ingress shaping to combat bufferbloat for
years, and it works quite well (although you may have to set it a few %
lower than your actual line speed). There's even a separate mode in
sch_cake specifically for this purpose.

> So that min could be experienced at the final hop before the receiver
> as delay injected between packets to shape the bitrate.
>
> How far off-base am I?
>
> And what would some tc scripting look like to measure my thesis?

Take a look at sqm-scripts: https://github.com/tohojo/sqm-scripts

It's basically a collection of scripts to setup the kind of bandwidth
shaper you're talking about, with various configuration options. It
is packaged for OpenWrt, but you can also install it on a regular Linux
box.

Now, it doesn't specifically do the kind of guest/production split
you're talking about. However, it does have a script (simple.qos) that
does a three-tier shaping based on different DiffServ markings. If you
start from that, you should be able to change the classification and
bandwidth tiers to suit your purposes.

Having said that, however...

...Are you sure you really need to split bandwidth that way? Usually,
people do this because they don't want the 'guest' traffic to negatively
impact 'their own' usage of the network. But really, with a correctly
de-bloated link, this is much less of an issue than people think. And
with the per-host isolation feature of sch_cake[0], it becomes even less
so.

Not saying you are definitely wrong to pursue this kind of throttling of
your guest network, of course. Just encouraging you to keep an open mind
and test out the other feature first; you may find that it solves your
the problem well enough to be worth the decrease in complexity :)

-Toke


[0] See the section 'To enable Per-Host Isolation' here: https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm-details#making_cake_sing_and_dance_on_a_tight_rope_without_a_safety_net_aka_advanced_features

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ