1ctinfo action in tc(8) Linux ctinfo action in tc(8)
2
6 ctinfo - tc connmark processing action
7
9 tc ... action ctinfo [ dscp MASK [STATEMASK] ] [ cpmark [MASK] ] [ zone
10 ZONE ] [ CONTROL ] [ index <INDEX> ]
11
14 CTINFO (Conntrack Information) is a tc action for retrieving data from
15 conntrack marks into various fields. At present it has two independent
16 processing modes which may be viewed as sub-functions.
17 DSCP mode copies a DSCP stored in conntrack's connmark into the IPv4/v6
19 diffserv field. The copying may conditionally occur based on a flag
20 also stored in the connmark. DSCP mode was designed to assist in
21 restoring packet classifications on ingress, classifications which may
22 then be used by qdiscs such as CAKE. It may be used in any circum‐
23 stance where ingress classification needs to be maintained across links
24 that otherwise bleach or remap according to their own policies.
25 CPMARK (copymark) mode copies the conntrack connmark into the packet's
27 mark field. Without additional parameters it is functionally com‐
28 pletely equivalent to the existing connmark action. An optional mask
29 may be specified to mask which bits of the connmark are restored. This
30 may be useful when DSCP and CPMARK modes are combined.
31 Simple statistics (tc -s) on DSCP restores and CPMARK copies are main‐
33 tained where values for set indicate a count of packets altered for
34 that mode. DSCP includes an error count where the destination packet's
35 diffserv field was unwriteable.
36
38 DSCP mode parameters:
39 mask A mask of 6 contiguous bits indicating where the DSCP value is
40 located in the 32 bit conntrack mark field. A mask must be pro‐
41 vided for this mode. mask is a 32 bit unsigned value.
42 statemask
44 A mask of at least 1 bit indicating where a conditional restore
45 flag is located in the 32 bit conntrack mark field. The
46 statemask bit/s must NOT overlap the mask bits. The DSCP will
47 be restored if the conntrack mark logically ANDed with the
48 statemask yields a non-zero result. statemask is an optional
49 unsigned 32 bit value.
50 CPMARK mode parameters:
52 mask Store the logically ANDed result of conntrack mark and mask into
53 the packet's mark field. Default is 0xffffffff i.e. the whole
54 mark field. mask is an optional unsigned 32 bit value
55 Overall action parameters:
57 zone Specify the conntrack zone when doing conntrack lookups for
58 packets. zone is a 16bit unsigned decimal value. Default is 0.
59 CONTROL
61 The following keywords allow to control how the tree of qdisc,
62 classes, filters and actions is further traversed after this
63 action.
64 reclassify
66 Restart with the first filter in the current list.
67 pipe Continue with the next action attached to the same fil‐
69 ter.
70 drop Drop the packet.
72 shot synonym for drop
74 continue
76 Continue classification with the next filter in line.
77 pass Finish classification process and return to calling qdisc
79 for further packet processing. This is the default.
80 index Specify an index for this action in order to being able to iden‐
82 tify it in later commands. index is a 32bit unsigned decimal
83 value.
84
86 Example showing conditional restoration of DSCP on ingress via an IFB
87 #Set up the IFB interface
89 tc qdisc add dev ifb4eth0 handle ffff: ingress
90 #Put CAKE qdisc on it
92 tc qdisc add dev ifb4eth0 root cake bandwidth 40mbit
93 #Set interface UP
95 ip link set dev ifb4eth0 up
96 #Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB
98 tc filter add dev eth0 parent ffff: protocol all prio 10 u32 \
99 match u32 0 0 flowid 1:1 action \
100 ctinfo dscp 0xfc000000 0x01000000 \
101 mirred egress redirect dev ifb4eth0
102 tc -s qdisc show dev eth0 ingress
104 filter parent ffff: protocol all pref 10 u32 chain 0
106 filter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
107 filter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
108 match 00000000/00000000 at 0
109 action order 1: ctinfo zone 0 pipe
110 index 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0
111 Action statistics:
112 Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
113 backlog 0b 0p requeues 0
114 action order 2: mirred (Egress Redirect to device ifb4eth0) stolen
116 index 1 ref 1 bind 1 installed 72 sec used 0 sec
117 Action statistics:
118 Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
119 backlog 0b 0p requeues 0
120 Example showing conditional restoration of DSCP on egress
122 This may appear nonsensical since iptables marking of egress packets is
124 easy to achieve, however the iptables flow classification rules may be
125 extensive and so some sort of set once and forget may be useful espe‐
126 cially on cpu constrained devices.
127 # Send unmarked connections to a marking chain which needs to store a DSCP
129 and set statemask bit in the connmark
130 iptables -t mangle -A POSTROUTING -o eth0 -m connmark \
131 --mark 0x00000000/0x01000000 -g CLASS_MARKING_CHAIN
132 # Apply marked DSCP to the packets
134 tc filter add dev eth0 protocol all prio 10 u32 \
135 match u32 0 0 flowid 1:1 action \
136 ctinfo dscp 0xfc000000 0x01000000
137 tc -s filter show dev eth0
139 filter parent 800e: protocol all pref 10 u32 chain 0
140 filter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
141 filter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
142 match 00000000/00000000 at 0
143 action order 1: ctinfo zone 0 pipe
144 index 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0
145 Action statistics:
146 Sent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0)
147 backlog 0b 0p requeues 0
148
150 tc(8), tc-cake(8) tc-connmark(8) tc-mirred(8)
151
153 ctinfo was written by Kevin Darbyshire-Bryant.
154iproute2 4 Jun 2019 ctinfo action in tc(8)