1 From 5a4d7714faa28c03e85d696fba82716fbda5c432 Mon Sep 17 00:00:00 2001
2 From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
3 Date: Sat, 23 Mar 2019 09:29:49 +0000
4 Subject: [PATCH] netfilter: connmark: introduce savedscp
6 savedscp is a method of storing the DSCP of an ip packet into conntrack
7 mark. In combination with a suitable tc filter action (conndscp but may
8 end up being integrated into connmark) DSCP values are able to be stored
9 on egress and restored on ingress across links that otherwise alter or
12 This is useful for qdiscs such as CAKE which are able to shape according
13 to policies based on DSCP.
15 Ingress classification is traditionally a challenging task since
16 iptables rules haven't yet run and tc filter/eBPF programs are pre-NAT
17 lookups, hence are unable to see internal IPv4 addresses as used on the
18 typical home masquerading gateway.
20 The ingress problem is solved by the tc filter, but the tc people didn't
21 like the idea of tc setting conntrack mark values, though they are ok
22 with reading conntrack values and hence restoring DSCP from conntrack
25 x_tables CONNMARK with the new savedscp action solves the problem of
26 storing the DSCP to the conntrack mark.
28 It accepts 2 parameters. The mark is a 32bit value with usually one 1
29 bit set. This bit is set when savedscp saves the DSCP to the mark.
30 This is useful to implement a 'one shot'
31 iptables based classification where the 'complicated' iptables rules are
32 only run once to classify the connection on initial (egress) packet and
33 subsequent packets are all marked/restored with the same DSCP. A mark
34 of zero disables the setting of a status bit/s.
36 The mask is a 32bit value of at least 6 contiguous bits and represents
37 the area where the DSCP will be stored.
41 iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --savedscp-mark 0xfc000000/0x01000000
43 Would store the DSCP in the top 6 bits of the 32bit mark field, and use
44 the LSB of the top byte as the 'DSCP has been stored' marker.
46 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
48 include/uapi/linux/netfilter/xt_connmark.h | 3 ++-
49 net/netfilter/xt_connmark.c | 21 ++++++++++++++++++++-
50 2 files changed, 22 insertions(+), 2 deletions(-)
52 diff --git a/include/uapi/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
53 index 408a9654f05c..e63ad3c89b92 100644
54 --- a/include/uapi/linux/netfilter/xt_connmark.h
55 +++ b/include/uapi/linux/netfilter/xt_connmark.h
61 + XT_CONNMARK_RESTORE,
62 + XT_CONNMARK_SAVEDSCP
65 struct xt_connmark_tginfo1 {
66 diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
67 index ec377cc6a369..aa5bcea8f9ba 100644
68 --- a/net/netfilter/xt_connmark.c
69 +++ b/net/netfilter/xt_connmark.c
70 @@ -42,6 +42,7 @@ connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
71 enum ip_conntrack_info ctinfo;
74 + u_int8_t dscp, maskshift;
76 ct = nf_ct_get(skb, &ctinfo);
78 @@ -57,7 +58,25 @@ connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
80 case XT_CONNMARK_SAVE:
81 newmark = (ct->mark & ~info->ctmask) ^
82 - (skb->mark & info->nfmask);
83 + (skb->mark & info->nfmask);
84 + if (ct->mark != newmark) {
86 + nf_conntrack_event_cache(IPCT_MARK, ct);
89 + case XT_CONNMARK_SAVEDSCP:
90 + if (skb->protocol == htons(ETH_P_IP))
91 + dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
92 + else if (skb->protocol == htons(ETH_P_IPV6))
93 + dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2;
94 + else /* protocol doesn't have diffserv */
97 + /* nfmask contains the mask shift value */
98 + maskshift = info->nfmask & 0x1f;
99 + newmark = (ct->mark & ~info->ctmark) |
100 + (info->ctmask | (dscp << maskshift));
102 if (ct->mark != newmark) {
104 nf_conntrack_event_cache(IPCT_MARK, ct);
106 2.20.1 (Apple Git-117)
projects / openwrt / staging / wigyori.git / blob