.TH "ctinfo action in tc" 8 "4 Jun 2019" "iproute2" "Linux"

.SH NAME

ctinfo \- tc connmark processing action

.SH SYNOPSIS

.B tc ... action ctinfo

[

.B dscp

MASK [STATEMASK] ] [

.B cpmark

[MASK] ] [

.B zone

ZONE ] [

.B CONTROL

] [

.B index

<INDEX>

]

.SH DESCRIPTION

CTINFO (Conntrack Information) is a tc action for retrieving data from

conntrack marks into various fields.  At present it has two independent

processing modes which may be viewed as sub-functions.

DSCP mode copies a DSCP stored in conntrack's connmark into the IPv4/v6 diffserv

field.  The copying may conditionally occur based on a flag also stored in the

connmark.  DSCP mode was designed to assist in restoring packet classifications on

ingress, classifications which may then be used by qdiscs such as CAKE.  It may be

used in any circumstance where ingress classification needs to be maintained across

links that otherwise bleach or remap according to their own policies.

CPMARK (copymark) mode copies the conntrack connmark into the packet's mark field.  Without

additional parameters it is functionally completely equivalent to the existing

connmark action.  An optional mask may be specified to mask which bits of the

connmark are restored.  This may be useful when DSCP and CPMARK modes are combined.

Simple statistics (tc -s) on DSCP restores and CPMARK copies are maintained where values for

set indicate a count of packets altered for that mode.  DSCP includes an error count

where the destination packet's diffserv field was unwriteable.

.SH PARAMETERS

.SS DSCP mode parameters:

.IP mask

A mask of 6 contiguous bits indicating where the DSCP value is located in the 32 bit

conntrack mark field.  A mask must be provided for this mode.  mask is a 32 bit

unsigned value.

.IP statemask

A mask of at least 1 bit indicating where a conditional restore flag is located in the

32 bit conntrack mark field.  The statemask bit/s must NOT overlap the mask bits.  The

DSCP will be restored if the conntrack mark logically ANDed with the statemask yields

a non-zero result.  statemask is an optional unsigned 32 bit value.

.SS CPMARK mode parameters:

.IP mask

Store the logically ANDed result of conntrack mark and mask into the packet's mark

field.  Default is 0xffffffff i.e. the whole mark field.  mask is an optional unsigned 32 bit

value

.SS Overall action parameters:

.IP zone

Specify the conntrack zone when doing conntrack lookups for packets.

zone is a 16bit unsigned decimal value.

Default is 0.

.IP CONTROL

The following keywords allow to control how the tree of qdisc, classes,

filters and actions is further traversed after this action.

.RS

.TP

.B reclassify

Restart with the first filter in the current list.

.TP

.B pipe

Continue with the next action attached to the same filter.

.TP

.B drop

Drop the packet.

.TP

.B shot

synonym for

.B drop

.TP

.B continue

Continue classification with the next filter in line.

.TP

.B pass

Finish classification process and return to calling qdisc for further packet

processing. This is the default.

.RE

.IP index

Specify an index for this action in order to being able to identify it in later

commands. index is a 32bit unsigned decimal value.

.SH EXAMPLES

Example showing conditional restoration of DSCP on ingress via an IFB

.RS

.EX

#Set up the IFB interface

.br

tc qdisc add dev ifb4eth0 handle ffff: ingress

#Put CAKE qdisc on it

.br

tc qdisc add dev ifb4eth0 root cake bandwidth 40mbit

#Set interface UP

.br

ip link set dev ifb4eth0 up

#Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB

.br

tc filter add dev eth0 parent ffff: protocol all prio 10 u32 \\

    match u32 0 0 flowid 1:1 action    \\

    ctinfo dscp 0xfc000000 0x01000000  \\

    mirred egress redirect dev ifb4eth0

tc -s qdisc show dev eth0 ingress

 filter parent ffff: protocol all pref 10 u32 chain 0

 filter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1

 filter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw

  match 00000000/00000000 at 0

    action order 1: ctinfo zone 0 pipe

    index 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0

    Action statistics:

    Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)

    backlog 0b 0p requeues 0

    action order 2: mirred (Egress Redirect to device ifb4eth0) stolen

    index 1 ref 1 bind 1 installed 72 sec used 0 sec

    Action statistics:

    Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)

    backlog 0b 0p requeues 0

.EE

.RE

Example showing conditional restoration of DSCP on egress

This may appear nonsensical since iptables marking of egress packets is easy

to achieve, however the iptables flow classification rules may be extensive

and so some sort of set once and forget may be useful especially on cpu

constrained devices.

.RS

.EX

# Send unmarked connections to a marking chain which needs to store a DSCP

and set statemask bit in the connmark

.br

iptables -t mangle -A POSTROUTING -o eth0 -m connmark \\

    --mark 0x00000000/0x01000000 -g CLASS_MARKING_CHAIN

# Apply marked DSCP to the packets

.br

tc filter add dev eth0 protocol all prio 10 u32 \\

    match u32 0 0 flowid 1:1 action \\

    ctinfo dscp 0xfc000000 0x01000000

tc -s filter show dev eth0

 filter parent 800e: protocol all pref 10 u32 chain 0

 filter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1

 filter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw

  match 00000000/00000000 at 0

    action order 1: ctinfo zone 0 pipe

    index 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0

    Action statistics:

    Sent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0)

    backlog 0b 0p requeues 0

.br

.RE

.SH SEE ALSO

.BR tc (8),

.BR tc-cake (8)

.BR tc-connmark (8)

.BR tc-mirred (8)

.SH AUTHORS

ctinfo was written by Kevin Darbyshire-Bryant.