Ipq807x NSS build, Kmod-Netem not working

BramWrt · January 1, 2025, 2:55pm

Hello all. I'm using a Dynalink WRX36 router with a custom NSS build, with Kmod-netem successfully installed and up to date. However, no netem command I enter makes any difference to the connection. When tried on other routers with netem, it works fine, just this one it doesn't. Any advice?

Thanks

slh · January 2, 2025, 7:37am

I can very easily imagine NSS being a major part of your problem, so please test without it.

NSS works by circumventing large parts of the netfilter code and instead running it inside proprietary code on dedicated hardware cores. It's very easy to imagine that the NSS code itself can't do what you're looking for - and at the same time doesn't recognize this being beyond its abilities and not handing it off to the regular netfilter code. Reasons may include:

NSS firmware being buggy
NSS kernel code being buggy
the patch glue to make qsdk's NSS available to your non-vanilla OpenWrt community build being at fault
misconfiguration of the NSS modules in your build

...there are reasons why I avoid acceleration and offloading, but rather throw faster hardware at the problem instead. The kernel's own netfilter code gets a lot of real world testing, exotic use cases and out-of-tree/ exotic offloading helpers are more likely to bring out the fireworks.

BramWrt · January 2, 2025, 4:45pm

Well interestingly, I have found that with a wireguard vpn on, in any location, will enable Netem to work. If I ask for 20 extra ping, it simply adds it. If i then disable the VPN, netem goes back to having no effect

BramWrt · January 2, 2025, 4:46pm

In this case, would you just run your WRX36 on single core?

slh · January 2, 2025, 5:47pm

Either that, or replace it with more capable hardware (x86_64, filogic 830/ 880). And i have done that with my ipq8071a based Xiaomi ax3600 (and ipq806x with nbg6817 and g10 before), so that's not theoretical babble (using an Atom based x86_64 system as wired-only router), at no point did I consider NSS to be a viable option.

Your wireguard findings do affirm my suspicion, NSS can't offload wireguard traffic. This means the packets are taking the normal route through netfilter and can be influenced by the kernel and netem.

BramWrt · January 2, 2025, 7:06pm

Interesting. Good to know. I seem to be getting 940 throughput with the wireguard, but if that's not utilising NSS then I assume there is no benefit from it, and I may as well run single core.

Thanks