|
Packit Service |
3880ab |
.TH "ctinfo action in tc" 8 "4 Jun 2019" "iproute2" "Linux"
|
|
Packit Service |
3880ab |
.SH NAME
|
|
Packit Service |
3880ab |
ctinfo \- tc connmark processing action
|
|
Packit Service |
3880ab |
.SH SYNOPSIS
|
|
Packit Service |
3880ab |
.B tc ... action ctinfo
|
|
Packit Service |
3880ab |
[
|
|
Packit Service |
3880ab |
.B dscp
|
|
Packit Service |
3880ab |
MASK [STATEMASK] ] [
|
|
Packit Service |
3880ab |
.B cpmark
|
|
Packit Service |
3880ab |
[MASK] ] [
|
|
Packit Service |
3880ab |
.B zone
|
|
Packit Service |
3880ab |
ZONE ] [
|
|
Packit Service |
3880ab |
.B CONTROL
|
|
Packit Service |
3880ab |
] [
|
|
Packit Service |
3880ab |
.B index
|
|
Packit Service |
3880ab |
<INDEX>
|
|
Packit Service |
3880ab |
]
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
.SH DESCRIPTION
|
|
Packit Service |
3880ab |
CTINFO (Conntrack Information) is a tc action for retrieving data from
|
|
Packit Service |
3880ab |
conntrack marks into various fields. At present it has two independent
|
|
Packit Service |
3880ab |
processing modes which may be viewed as sub-functions.
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
DSCP mode copies a DSCP stored in conntrack's connmark into the IPv4/v6 diffserv
|
|
Packit Service |
3880ab |
field. The copying may conditionally occur based on a flag also stored in the
|
|
Packit Service |
3880ab |
connmark. DSCP mode was designed to assist in restoring packet classifications on
|
|
Packit Service |
3880ab |
ingress, classifications which may then be used by qdiscs such as CAKE. It may be
|
|
Packit Service |
3880ab |
used in any circumstance where ingress classification needs to be maintained across
|
|
Packit Service |
3880ab |
links that otherwise bleach or remap according to their own policies.
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
CPMARK (copymark) mode copies the conntrack connmark into the packet's mark field. Without
|
|
Packit Service |
3880ab |
additional parameters it is functionally completely equivalent to the existing
|
|
Packit Service |
3880ab |
connmark action. An optional mask may be specified to mask which bits of the
|
|
Packit Service |
3880ab |
connmark are restored. This may be useful when DSCP and CPMARK modes are combined.
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
Simple statistics (tc -s) on DSCP restores and CPMARK copies are maintained where values for
|
|
Packit Service |
3880ab |
set indicate a count of packets altered for that mode. DSCP includes an error count
|
|
Packit Service |
3880ab |
where the destination packet's diffserv field was unwriteable.
|
|
Packit Service |
3880ab |
.SH PARAMETERS
|
|
Packit Service |
3880ab |
.SS DSCP mode parameters:
|
|
Packit Service |
3880ab |
.IP mask
|
|
Packit Service |
3880ab |
A mask of 6 contiguous bits indicating where the DSCP value is located in the 32 bit
|
|
Packit Service |
3880ab |
conntrack mark field. A mask must be provided for this mode. mask is a 32 bit
|
|
Packit Service |
3880ab |
unsigned value.
|
|
Packit Service |
3880ab |
.IP statemask
|
|
Packit Service |
3880ab |
A mask of at least 1 bit indicating where a conditional restore flag is located in the
|
|
Packit Service |
3880ab |
32 bit conntrack mark field. The statemask bit/s must NOT overlap the mask bits. The
|
|
Packit Service |
3880ab |
DSCP will be restored if the conntrack mark logically ANDed with the statemask yields
|
|
Packit Service |
3880ab |
a non-zero result. statemask is an optional unsigned 32 bit value.
|
|
Packit Service |
3880ab |
.SS CPMARK mode parameters:
|
|
Packit Service |
3880ab |
.IP mask
|
|
Packit Service |
3880ab |
Store the logically ANDed result of conntrack mark and mask into the packet's mark
|
|
Packit Service |
3880ab |
field. Default is 0xffffffff i.e. the whole mark field. mask is an optional unsigned 32 bit
|
|
Packit Service |
3880ab |
value
|
|
Packit Service |
3880ab |
.SS Overall action parameters:
|
|
Packit Service |
3880ab |
.IP zone
|
|
Packit Service |
3880ab |
Specify the conntrack zone when doing conntrack lookups for packets.
|
|
Packit Service |
3880ab |
zone is a 16bit unsigned decimal value.
|
|
Packit Service |
3880ab |
Default is 0.
|
|
Packit Service |
3880ab |
.IP CONTROL
|
|
Packit Service |
3880ab |
The following keywords allow to control how the tree of qdisc, classes,
|
|
Packit Service |
3880ab |
filters and actions is further traversed after this action.
|
|
Packit Service |
3880ab |
.RS
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B reclassify
|
|
Packit Service |
3880ab |
Restart with the first filter in the current list.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B pipe
|
|
Packit Service |
3880ab |
Continue with the next action attached to the same filter.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B drop
|
|
Packit Service |
3880ab |
Drop the packet.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B shot
|
|
Packit Service |
3880ab |
synonym for
|
|
Packit Service |
3880ab |
.B drop
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B continue
|
|
Packit Service |
3880ab |
Continue classification with the next filter in line.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.B pass
|
|
Packit Service |
3880ab |
Finish classification process and return to calling qdisc for further packet
|
|
Packit Service |
3880ab |
processing. This is the default.
|
|
Packit Service |
3880ab |
.RE
|
|
Packit Service |
3880ab |
.IP index
|
|
Packit Service |
3880ab |
Specify an index for this action in order to being able to identify it in later
|
|
Packit Service |
3880ab |
commands. index is a 32bit unsigned decimal value.
|
|
Packit Service |
3880ab |
.SH EXAMPLES
|
|
Packit Service |
3880ab |
Example showing conditional restoration of DSCP on ingress via an IFB
|
|
Packit Service |
3880ab |
.RS
|
|
Packit Service |
3880ab |
.EX
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
#Set up the IFB interface
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
tc qdisc add dev ifb4eth0 handle ffff: ingress
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
#Put CAKE qdisc on it
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
tc qdisc add dev ifb4eth0 root cake bandwidth 40mbit
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
#Set interface UP
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
ip link set dev ifb4eth0 up
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
#Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
tc filter add dev eth0 parent ffff: protocol all prio 10 u32 \\
|
|
Packit Service |
3880ab |
match u32 0 0 flowid 1:1 action \\
|
|
Packit Service |
3880ab |
ctinfo dscp 0xfc000000 0x01000000 \\
|
|
Packit Service |
3880ab |
mirred egress redirect dev ifb4eth0
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
tc -s qdisc show dev eth0 ingress
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
filter parent ffff: protocol all pref 10 u32 chain 0
|
|
Packit Service |
3880ab |
filter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
|
|
Packit Service |
3880ab |
filter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
|
|
Packit Service |
3880ab |
match 00000000/00000000 at 0
|
|
Packit Service |
3880ab |
action order 1: ctinfo zone 0 pipe
|
|
Packit Service |
3880ab |
index 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0
|
|
Packit Service |
3880ab |
Action statistics:
|
|
Packit Service |
3880ab |
Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
|
|
Packit Service |
3880ab |
backlog 0b 0p requeues 0
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
action order 2: mirred (Egress Redirect to device ifb4eth0) stolen
|
|
Packit Service |
3880ab |
index 1 ref 1 bind 1 installed 72 sec used 0 sec
|
|
Packit Service |
3880ab |
Action statistics:
|
|
Packit Service |
3880ab |
Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
|
|
Packit Service |
3880ab |
backlog 0b 0p requeues 0
|
|
Packit Service |
3880ab |
.EE
|
|
Packit Service |
3880ab |
.RE
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
Example showing conditional restoration of DSCP on egress
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
This may appear nonsensical since iptables marking of egress packets is easy
|
|
Packit Service |
3880ab |
to achieve, however the iptables flow classification rules may be extensive
|
|
Packit Service |
3880ab |
and so some sort of set once and forget may be useful especially on cpu
|
|
Packit Service |
3880ab |
constrained devices.
|
|
Packit Service |
3880ab |
.RS
|
|
Packit Service |
3880ab |
.EX
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
# Send unmarked connections to a marking chain which needs to store a DSCP
|
|
Packit Service |
3880ab |
and set statemask bit in the connmark
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
iptables -t mangle -A POSTROUTING -o eth0 -m connmark \\
|
|
Packit Service |
3880ab |
--mark 0x00000000/0x01000000 -g CLASS_MARKING_CHAIN
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
# Apply marked DSCP to the packets
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
tc filter add dev eth0 protocol all prio 10 u32 \\
|
|
Packit Service |
3880ab |
match u32 0 0 flowid 1:1 action \\
|
|
Packit Service |
3880ab |
ctinfo dscp 0xfc000000 0x01000000
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
tc -s filter show dev eth0
|
|
Packit Service |
3880ab |
filter parent 800e: protocol all pref 10 u32 chain 0
|
|
Packit Service |
3880ab |
filter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
|
|
Packit Service |
3880ab |
filter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
|
|
Packit Service |
3880ab |
match 00000000/00000000 at 0
|
|
Packit Service |
3880ab |
action order 1: ctinfo zone 0 pipe
|
|
Packit Service |
3880ab |
index 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0
|
|
Packit Service |
3880ab |
Action statistics:
|
|
Packit Service |
3880ab |
Sent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0)
|
|
Packit Service |
3880ab |
backlog 0b 0p requeues 0
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RE
|
|
Packit Service |
3880ab |
.SH SEE ALSO
|
|
Packit Service |
3880ab |
.BR tc (8),
|
|
Packit Service |
3880ab |
.BR tc-cake (8)
|
|
Packit Service |
3880ab |
.BR tc-connmark (8)
|
|
Packit Service |
3880ab |
.BR tc-mirred (8)
|
|
Packit Service |
3880ab |
.SH AUTHORS
|
|
Packit Service |
3880ab |
ctinfo was written by Kevin Darbyshire-Bryant.
|