From nobody Tue Jul 25 23:13:22 2023
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R9Xrn2Xkxz4ncN2
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Tue, 25 Jul 2023 23:13:29 +0000 (UTC)
	(envelope-from rozhuk.im@gmail.com)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4R9Xrm0lW2z3mC6
	for <freebsd-net@freebsd.org>; Tue, 25 Jul 2023 23:13:28 +0000 (UTC)
	(envelope-from rozhuk.im@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20221208 header.b=afwVqaOq;
	spf=pass (mx1.freebsd.org: domain of rozhuk.im@gmail.com designates 2a00:1450:4864:20::335 as permitted sender) smtp.mailfrom=rozhuk.im@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-3fbea14700bso49948615e9.3
        for <freebsd-net@freebsd.org>; Tue, 25 Jul 2023 16:13:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1690326805; x=1690931605;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:date:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TtO72hsW2raxRX4wMJecwxLAbsEIbLOdifO8EPlLpWU=;
        b=afwVqaOq3d+cmzRqxqVMmwvKllyXEj5KW9CLD6apE8EsIFGixa6/0oDzlziJtyW+KN
         ebalKHchd1CC3sbIarMXFw1op8q/zDmZnxM6BrhbCE+1Sgk71QbnnCJotj9HfT9KJPFI
         dlNjLDuLd31ZYKNRMAe7F8KrELquPXYRpW8ne9pagC2qezDOIDKfVMnk8Qstyk91F1NJ
         bM7UUSVJw6WUHVXJzfst4vkLiI/Oyw5yAClv+IZ02CR//l2oVgUv/Ym8GTZiMl8EfNBw
         oSLgiR5Wv/sFKdLAaqW7h1oZQmesms5a4kTMaN9tYhPNTMFTMUe4dnfIF1uZVpmxK7EM
         ezPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1690326805; x=1690931605;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:date:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TtO72hsW2raxRX4wMJecwxLAbsEIbLOdifO8EPlLpWU=;
        b=JaIYzBi7WwBjVklG6VKzWPe6RUka1fi0xr9BcXi0vWObmjQjITEDTUbfNC83chFh9Y
         7nhw6HHfi9EEEycM2nFGoMyE6UOOIYHqF09hWoxnlqZge5gPuQGbq+7qPfZGxUaQ9rdK
         DZXz3Vk3FEcGAXc8Jxth9vtBXlqPpw/J9n3jxZ7SZVxrlazKxLRCY5IXM3kz4ijjggri
         5gyAoVO47It2JqUL8bwI9dlHmz9pBrNO4vOF6KCk7iJ+DMOfspk7LGS9xjKS3btW0nb2
         4QhxhtMWh2UD1O9P+pHj32jH6VF8iiJB5JBU9m7Hjd/SkU2nyeaDR24sDarfP2YN7iyF
         IJKA==
X-Gm-Message-State: ABy/qLb85LL/CnTo+vDm1i/MbHb7RwDLV2Il9UyDhynhTDEu6gPNGQKt
	4VonipbuAdJAFIrpBpntjd/dziOR5s8=
X-Google-Smtp-Source: APBJJlGTUzL2W1IUsIc9o53x7W7RNKWkmKGDNU9/wYTAXvzXEgVduCqELfMivHQHosgZffzLOzrKBQ==
X-Received: by 2002:a05:600c:234a:b0:3fc:443:3773 with SMTP id 10-20020a05600c234a00b003fc04433773mr153058wmq.30.1690326804400;
        Tue, 25 Jul 2023 16:13:24 -0700 (PDT)
Received: from rimwks.local ([2001:470:1f15:3d8:449b:f701:c0be:9672])
        by smtp.gmail.com with ESMTPSA id k11-20020adfd84b000000b0031773e3cf46sm752714wrl.61.2023.07.25.16.13.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Jul 2023 16:13:24 -0700 (PDT)
From: Rozhuk Ivan <rozhuk.im@gmail.com>
X-Google-Original-From: Rozhuk Ivan <Rozhuk.IM@gmail.com>
Date: Wed, 26 Jul 2023 02:13:22 +0300
To: Mason Loring Bliss <mason@blisses.org>
Cc: freebsd-net@freebsd.org
Subject: Re: ACK filtering?
Message-ID: <20230726021322.2fa53b5f@rimwks.local>
In-Reply-To: <ZLYPLwX4Bm1RuCBh@blisses.org>
References: <ZLYPLwX4Bm1RuCBh@blisses.org>
X-Mailer: Claws Mail 4.1.0 (GTK 3.24.34; amd64-portbld-freebsd13.1)
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-2.81 / 15.00];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.95)[-0.952];
	NEURAL_HAM_MEDIUM(-0.86)[-0.861];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
	RCVD_TLS_LAST(0.00)[];
	BLOCKLISTDE_FAIL(0.00)[2001:470:1f15:3d8:449b:f701:c0be:9672:server fail,2a00:1450:4864:20::335:server fail];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
	RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::335:from];
	RCVD_COUNT_THREE(0.00)[3];
	FREEMAIL_FROM(0.00)[gmail.com];
	TO_DN_SOME(0.00)[];
	TAGGED_FROM(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	FROM_EQ_ENVFROM(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]
X-Rspamd-Queue-Id: 4R9Xrm0lW2z3mC6
X-Spamd-Bar: --

On Tue, 18 Jul 2023 00:03:59 -0400
Mason Loring Bliss <mason@blisses.org> wrote:

> I'm likely going to have to move to an Internet connection with
> asymmetric bandwidth soon, and I want to be proactive with the
> firewalling to avoid the connection choking on itself.
> 
> There's a fair amount of documentation out there for bumping the
> priority on acks with pf and altq, and that seems reasonable, but is
> there anything equivalent I can do with ipfw? I'd prefer ipfw if
> possible, but I'll switch if I need to.
> 

You can use ng_bpf for matching TCP ACK (if ipfw can not, I have no idea about ipfw).
https://reviews.freebsd.org/D30175
http://netlab.dhis.org/wiki/software:freebsd:igmpproxy_on_netgraph

ipfw can work with netgraph so you may adop these samples from raw ethernet
frames to ip packets.

Next step is put all non TCP ACKs to dumminet with limit to 90% of upstream bandwith
and pass TCP ACKs to upstream directly.


Also DNS, ICMP good to have high prio.
For links > 10mbps probably you will not see diff.
I stop play with that years ago )