| .TH "ctinfo action in tc" 8 "4 Jun 2019" "iproute2" "Linux" |
| .SH NAME |
| ctinfo \- tc connmark processing action |
| .SH SYNOPSIS |
| .B tc ... action ctinfo |
| [ |
| .B dscp |
| MASK [STATEMASK] ] [ |
| .B cpmark |
| [MASK] ] [ |
| .B zone |
| ZONE ] [ |
| .B CONTROL |
| ] [ |
| .B index |
| <INDEX> |
| ] |
| |
| .SH DESCRIPTION |
| CTINFO (Conntrack Information) is a tc action for retrieving data from |
| conntrack marks into various fields. At present it has two independent |
| processing modes which may be viewed as sub-functions. |
| |
| DSCP mode copies a DSCP stored in conntrack's connmark into the IPv4/v6 diffserv |
| field. The copying may conditionally occur based on a flag also stored in the |
| connmark. DSCP mode was designed to assist in restoring packet classifications on |
| ingress, classifications which may then be used by qdiscs such as CAKE. It may be |
| used in any circumstance where ingress classification needs to be maintained across |
| links that otherwise bleach or remap according to their own policies. |
| |
| CPMARK (copymark) mode copies the conntrack connmark into the packet's mark field. Without |
| additional parameters it is functionally completely equivalent to the existing |
| connmark action. An optional mask may be specified to mask which bits of the |
| connmark are restored. This may be useful when DSCP and CPMARK modes are combined. |
| |
| Simple statistics (tc -s) on DSCP restores and CPMARK copies are maintained where values for |
| set indicate a count of packets altered for that mode. DSCP includes an error count |
| where the destination packet's diffserv field was unwriteable. |
| .SH PARAMETERS |
| .SS DSCP mode parameters: |
| .IP mask |
| A mask of 6 contiguous bits indicating where the DSCP value is located in the 32 bit |
| conntrack mark field. A mask must be provided for this mode. mask is a 32 bit |
| unsigned value. |
| .IP statemask |
| A mask of at least 1 bit indicating where a conditional restore flag is located in the |
| 32 bit conntrack mark field. The statemask bit/s must NOT overlap the mask bits. The |
| DSCP will be restored if the conntrack mark logically ANDed with the statemask yields |
| a non-zero result. statemask is an optional unsigned 32 bit value. |
| .SS CPMARK mode parameters: |
| .IP mask |
| Store the logically ANDed result of conntrack mark and mask into the packet's mark |
| field. Default is 0xffffffff i.e. the whole mark field. mask is an optional unsigned 32 bit |
| value |
| .SS Overall action parameters: |
| .IP zone |
| Specify the conntrack zone when doing conntrack lookups for packets. |
| zone is a 16bit unsigned decimal value. |
| Default is 0. |
| .IP CONTROL |
| The following keywords allow to control how the tree of qdisc, classes, |
| filters and actions is further traversed after this action. |
| .RS |
| .TP |
| .B reclassify |
| Restart with the first filter in the current list. |
| .TP |
| .B pipe |
| Continue with the next action attached to the same filter. |
| .TP |
| .B drop |
| Drop the packet. |
| .TP |
| .B shot |
| synonym for |
| .B drop |
| .TP |
| .B continue |
| Continue classification with the next filter in line. |
| .TP |
| .B pass |
| Finish classification process and return to calling qdisc for further packet |
| processing. This is the default. |
| .RE |
| .IP index |
| Specify an index for this action in order to being able to identify it in later |
| commands. index is a 32bit unsigned decimal value. |
| .SH EXAMPLES |
| Example showing conditional restoration of DSCP on ingress via an IFB |
| .RS |
| .EX |
| |
| #Set up the IFB interface |
| .br |
| tc qdisc add dev ifb4eth0 handle ffff: ingress |
| |
| #Put CAKE qdisc on it |
| .br |
| tc qdisc add dev ifb4eth0 root cake bandwidth 40mbit |
| |
| #Set interface UP |
| .br |
| ip link set dev ifb4eth0 up |
| |
| #Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB |
| .br |
| tc filter add dev eth0 parent ffff: protocol all prio 10 u32 \\ |
| match u32 0 0 flowid 1:1 action \\ |
| ctinfo dscp 0xfc000000 0x01000000 \\ |
| mirred egress redirect dev ifb4eth0 |
| |
| tc -s qdisc show dev eth0 ingress |
| |
| filter parent ffff: protocol all pref 10 u32 chain 0 |
| filter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1 |
| filter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw |
| match 00000000/00000000 at 0 |
| action order 1: ctinfo zone 0 pipe |
| index 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0 |
| Action statistics: |
| Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0) |
| backlog 0b 0p requeues 0 |
| |
| action order 2: mirred (Egress Redirect to device ifb4eth0) stolen |
| index 1 ref 1 bind 1 installed 72 sec used 0 sec |
| Action statistics: |
| Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0) |
| backlog 0b 0p requeues 0 |
| .EE |
| .RE |
| |
| Example showing conditional restoration of DSCP on egress |
| |
| This may appear nonsensical since iptables marking of egress packets is easy |
| to achieve, however the iptables flow classification rules may be extensive |
| and so some sort of set once and forget may be useful especially on cpu |
| constrained devices. |
| .RS |
| .EX |
| |
| # Send unmarked connections to a marking chain which needs to store a DSCP |
| and set statemask bit in the connmark |
| .br |
| iptables -t mangle -A POSTROUTING -o eth0 -m connmark \\ |
| --mark 0x00000000/0x01000000 -g CLASS_MARKING_CHAIN |
| |
| # Apply marked DSCP to the packets |
| .br |
| tc filter add dev eth0 protocol all prio 10 u32 \\ |
| match u32 0 0 flowid 1:1 action \\ |
| ctinfo dscp 0xfc000000 0x01000000 |
| |
| tc -s filter show dev eth0 |
| filter parent 800e: protocol all pref 10 u32 chain 0 |
| filter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1 |
| filter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw |
| match 00000000/00000000 at 0 |
| action order 1: ctinfo zone 0 pipe |
| index 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0 |
| Action statistics: |
| Sent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0) |
| backlog 0b 0p requeues 0 |
| .br |
| .SH SEE ALSO |
| .BR tc (8), |
| .BR tc-cake (8) |
| .BR tc-connmark (8) |
| .BR tc-mirred (8) |
| .SH AUTHORS |
| ctinfo was written by Kevin Darbyshire-Bryant. |