<guidosarducci>
ldir: Hi Kevin, act_ctinfo question: does it decapsulate? So with a 6in4 packet, does it look up the CT info for the outer ip4 conn or the inner ip6 conn?
zatwai has joined #openwrt-devel
<rsalvaterra>
mangix: Heh… haven't noticed that much of a difference from ld to gold, at least on this Pentium D 950… But I'll try on the i7-4770R one of these days.
<guidosarducci>
ldir: I see, thanks. That's not great for those using HE for IP6. You had a long answer too? :)
<ldir>
guidosarducci: the longer answer is that tunnels in general are difficult. think wireguard, think ssh tunnels.
<ldir>
I really don't have a magic answer.
PaulFertser has quit [Ping timeout: 244 seconds]
<guidosarducci>
ldir: Yeah, understood. I thought there might have been an update you're still mulling over.
silverwhitefish has quit [Quit: One for all, all for One (2 Corinthians 5)]
<ldir>
I wanted something that could exercise cake's diffserv capability for ingress packets, ideally without too much magic and/or learning ebpf. Inspiration arrived in the form of the conntrack firewall mark, could I stash something in there...say like the DSCP I wanted to (re)apply on ingress?
<guidosarducci>
ldir: In general, I would have liked to do things from BPF, but I've seen 3+ people start on CT bpf helpers in the last 3 years, and nothing merged/completed. It's getting to the point where I just might try myself (foolishly no doubt).
<guidosarducci>
ldir: but back then you wrote your module, so presssure dropped some...
<ldir>
so you can change the stored DSCP at any time you like, but how that relates to the incoming packet for that connection entry may change in the case of tunnels.
<guidosarducci>
ldir: and yes, stateful diffserve is the best way rather that some of the overcomplicated, micromanaging messes I've been seeing.
<ldir>
bpf is probably the way to do some decapsulation without the kernel people seeing an obvious layer violation
<ldir>
and I honestly don't know how conntrack sees the inner vs outer (tunnel) connections.
<guidosarducci>
ldir: the header parsing IIRC was straightforward in the BPF helper patches, but doing the CT MARK/LABEL updates would take some more work.
<ldir>
you probably don't need to update the CT MARK entry, but you do need to find the CT entry for the encapsulated packet.
<ldir>
I've been out of the programming loop for a long time now. I looked at act_ctinfo.c prompted by your question and went "did I really write that?" !
<guidosarducci>
ldir: from what I remember, there are separate connections for the outer ip4 and inner ip6, so doing the lookup is possible.
<jow>
ldir: I know that feeling :)
<guidosarducci>
ldir: Yikes! I have the same thought when I find something I wrote in a decades old C64 archive... Get used to it. That's the price of learning ;-)
<jow>
200.000+ LoC Perl project from about 15 years ago here...
SimJoSt has joined #openwrt-devel
<ldir>
^^^^^ really yikes!
<jow>
there's stuff in there I can't figure out at all anymore. Must've been the drugs back then
<rsalvaterra>
jow: It's called "experience". :)
PaulFertser has joined #openwrt-devel
<guidosarducci>
jow: that's sounds like an opportunity for some deep pride or deep regret! Not understanding our own code is usually when we appreciate clarity and documentation, and "maintainabilty" means something...
<guidosarducci>
jow: ^^ 200K comment
<rsalvaterra>
You must always write code thinking of the poor sod who will have to fix a bug in it 5 years from now. Because that poor sod will probably be you. :P
<guidosarducci>
ldir: BTW being able to write ctmark from BPF meant being able to the everything in BPF without touching netfilter.
<ldir>
I think it's more 'use it or lose it', certainly in my case. I haven't used it 'cos I've been concentrating on using the stuff that basically keeps a roof over our heads here, so the hobby of openwrt/kernel really has to take a low priority....and some of it has been swapped out..I think to write only memory :-)
<stintel>
ow, making progress on that Firebox M300 o_O
<stintel>
I just learned that decompiling the OEM DTB gives a DTS full of lies!
<stintel>
that explains why nothing I tried worked so far
<ldir>
anyway it's late here so I'm going to turn in - see y'all later :-)
<stintel>
ldir: nn
PaulFertser has quit [Remote host closed the connection]
PaulFertser has joined #openwrt-devel
Robby has quit [Ping timeout: 260 seconds]
PaulFertser has quit [Ping timeout: 240 seconds]
black_ant has joined #openwrt-devel
black_ant has quit [Changing host]
black_ant has joined #openwrt-devel
<aparcar[m]>
anyone ever combined fuzzing and OpenWrt? ynezz ?