[WireGuard] fq, ecn, etc with wireguard

Dave Taht dave.taht at gmail.com
Mon Aug 29 22:15:15 CEST 2016


To try and answer your actual questions...

On Mon, Aug 29, 2016 at 12:23 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi again,
>
> So I implemented a first stab of this, which I intend to refine with
> your feedback:
>
>     https://git.zx2c4.com/WireGuard/commit/?id=a2dfc902e942cce8d5da4a42d6aa384413e7fc81
>
>
> On the way out, the ECN is set to:
>
> outgoing_skb->tos = encap_ecn(0, inner_skb->tos);
>
> where encap_ecn is defined as:
>
> u8 encap_ecn(u8 outer, u8 inner)
> {
>         outer &= ~INET_ECN_MASK;
>         outer |= !INET_ECN_is_ce(inner) ? (inner & INET_ECN_MASK) :
>                                           INET_ECN_ECT_0;
>         return outer;
> }
>
> Since outer goes in as 0, this function can be reduced to simply:
>
> outgoing_skb->tos = !INET_ECN_is_ce(inner_skb->tos) ? (inner_skb->tos
> & INET_ECN_MASK) : INET_ECN_ECT_0;
>
> QUESTION A: is 0 a good value to use here as outer? Or, in fact,
> should I use the tos value that comes from the routing table for the
> outer route?

The outer routing table is read for where stuff comes in in the first
place from the packet to make the routing decision.

As in general dscp values are not preserved end to end and can cause
re-ordering when they are, it's best to use your own dscp value
consistently for the outer header and not vary it within the vpn flow
based on the inner header.

There is a keyword in the ip command (inherit) that can be applied to
switch on or off these behaviors.

Short answer is - stick with 0.

>
> On the way in, the ECN is set to:
>
> if (INET_ECN_is_ce(outer_skb->tos))
>         IP_ECN_set_ce(inner_skb->tos)

This is not correct. (I think my definition of in and out are different)

if (INET_ECN_is_ce(outer_skb->tos) && inner_skb->tos & 3 != 0) //
sorry don't have the macro in my head
           IP_ECN_set_ce(inner_skb->tos)



>
> I do NOT compute the following:
>
>         if (INET_ECN_is_not_ect(inner)) {
>                 switch (outer & INET_ECN_MASK) {
>                 case INET_ECN_NOT_ECT:
>                         return EVERYTHING_IS_OKAY;
>                 case INET_ECN_ECT_0:
>                 case INET_ECN_ECT_1:
>                         return BROKEN_SO_LOG_PACKET;
>                 case INET_ECN_CE:
>                         return BROKEN_SO_DROP_PACKET;
>                 }
>         }
>
> QUESTION B: is it okay that I do not compute the above checks? Or is
> this potentially very problematic?
>
>
> I await your answer on questions A and B.
>
> Thanks,
> Jason



-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org


More information about the WireGuard mailing list