Blob Blame History Raw
.TH "ctinfo action in tc" 8 "4 Jun 2019" "iproute2" "Linux"
.SH NAME
ctinfo \- tc connmark processing action
.SH SYNOPSIS
.B tc ... action ctinfo
[
.B dscp
MASK [STATEMASK] ] [
.B cpmark
[MASK] ] [
.B zone
ZONE ] [
.B CONTROL
] [
.B index
<INDEX>
]

.SH DESCRIPTION
CTINFO (Conntrack Information) is a tc action for retrieving data from
conntrack marks into various fields.  At present it has two independent
processing modes which may be viewed as sub-functions.

DSCP mode copies a DSCP stored in conntrack's connmark into the IPv4/v6 diffserv
field.  The copying may conditionally occur based on a flag also stored in the
connmark.  DSCP mode was designed to assist in restoring packet classifications on
ingress, classifications which may then be used by qdiscs such as CAKE.  It may be
used in any circumstance where ingress classification needs to be maintained across
links that otherwise bleach or remap according to their own policies.

CPMARK (copymark) mode copies the conntrack connmark into the packet's mark field.  Without
additional parameters it is functionally completely equivalent to the existing
connmark action.  An optional mask may be specified to mask which bits of the
connmark are restored.  This may be useful when DSCP and CPMARK modes are combined.

Simple statistics (tc -s) on DSCP restores and CPMARK copies are maintained where values for
set indicate a count of packets altered for that mode.  DSCP includes an error count
where the destination packet's diffserv field was unwriteable.
.SH PARAMETERS
.SS DSCP mode parameters:
.IP mask
A mask of 6 contiguous bits indicating where the DSCP value is located in the 32 bit
conntrack mark field.  A mask must be provided for this mode.  mask is a 32 bit
unsigned value.
.IP statemask
A mask of at least 1 bit indicating where a conditional restore flag is located in the
32 bit conntrack mark field.  The statemask bit/s must NOT overlap the mask bits.  The
DSCP will be restored if the conntrack mark logically ANDed with the statemask yields
a non-zero result.  statemask is an optional unsigned 32 bit value.
.SS CPMARK mode parameters:
.IP mask
Store the logically ANDed result of conntrack mark and mask into the packet's mark
field.  Default is 0xffffffff i.e. the whole mark field.  mask is an optional unsigned 32 bit
value
.SS Overall action parameters:
.IP zone
Specify the conntrack zone when doing conntrack lookups for packets.
zone is a 16bit unsigned decimal value.
Default is 0.
.IP CONTROL
The following keywords allow to control how the tree of qdisc, classes,
filters and actions is further traversed after this action.
.RS
.TP
.B reclassify
Restart with the first filter in the current list.
.TP
.B pipe
Continue with the next action attached to the same filter.
.TP
.B drop
Drop the packet.
.TP
.B shot
synonym for
.B drop
.TP
.B continue
Continue classification with the next filter in line.
.TP
.B pass
Finish classification process and return to calling qdisc for further packet
processing. This is the default.
.RE
.IP index
Specify an index for this action in order to being able to identify it in later
commands. index is a 32bit unsigned decimal value.
.SH EXAMPLES
Example showing conditional restoration of DSCP on ingress via an IFB
.RS
.EX

#Set up the IFB interface
.br
tc qdisc add dev ifb4eth0 handle ffff: ingress

#Put CAKE qdisc on it
.br
tc qdisc add dev ifb4eth0 root cake bandwidth 40mbit

#Set interface UP
.br
ip link set dev ifb4eth0 up

#Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB
.br
tc filter add dev eth0 parent ffff: protocol all prio 10 u32 \\
    match u32 0 0 flowid 1:1 action    \\
    ctinfo dscp 0xfc000000 0x01000000  \\
    mirred egress redirect dev ifb4eth0

tc -s qdisc show dev eth0 ingress

 filter parent ffff: protocol all pref 10 u32 chain 0
 filter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
 filter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
  match 00000000/00000000 at 0
    action order 1: ctinfo zone 0 pipe
    index 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0
    Action statistics:
    Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
    backlog 0b 0p requeues 0

    action order 2: mirred (Egress Redirect to device ifb4eth0) stolen
    index 1 ref 1 bind 1 installed 72 sec used 0 sec
    Action statistics:
    Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
    backlog 0b 0p requeues 0
.EE
.RE

Example showing conditional restoration of DSCP on egress

This may appear nonsensical since iptables marking of egress packets is easy
to achieve, however the iptables flow classification rules may be extensive
and so some sort of set once and forget may be useful especially on cpu
constrained devices.
.RS
.EX

# Send unmarked connections to a marking chain which needs to store a DSCP
and set statemask bit in the connmark
.br
iptables -t mangle -A POSTROUTING -o eth0 -m connmark \\
    --mark 0x00000000/0x01000000 -g CLASS_MARKING_CHAIN

# Apply marked DSCP to the packets
.br
tc filter add dev eth0 protocol all prio 10 u32 \\
    match u32 0 0 flowid 1:1 action \\
    ctinfo dscp 0xfc000000 0x01000000

tc -s filter show dev eth0
 filter parent 800e: protocol all pref 10 u32 chain 0
 filter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
 filter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
  match 00000000/00000000 at 0
    action order 1: ctinfo zone 0 pipe
    index 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0
    Action statistics:
    Sent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0)
    backlog 0b 0p requeues 0
.br
.RE
.SH SEE ALSO
.BR tc (8),
.BR tc-cake (8)
.BR tc-connmark (8)
.BR tc-mirred (8)
.SH AUTHORS
ctinfo was written by Kevin Darbyshire-Bryant.