netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jeremy Sowden <jeremy@azazel.net>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Netfilter Devel <netfilter-devel@vger.kernel.org>,
	Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Subject: Re: [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark.
Date: Mon, 9 Dec 2019 23:23:39 +0000	[thread overview]
Message-ID: <20191209232339.GA655861@azazel.net> (raw)
In-Reply-To: <20191209224710.GI795@breakpoint.cc>

[-- Attachment #1: Type: text/plain, Size: 2077 bytes --]

On 2019-12-09, at 23:47:10 +0100, Florian Westphal wrote:
> Jeremy Sowden wrote:
> > "ct dscpmark" is a method of storing the DSCP of an ip packet into
> > the conntrack mark.  In combination with a suitable tc filter action
> > (act_ctinfo) DSCP values are able to be stored in the mark on egress
> > and restored on ingress across links that otherwise alter or bleach
> > DSCP.
> >
> > This is useful for qdiscs such as CAKE which are able to shape
> > according to policies based on DSCP.
> >
> > Ingress classification is traditionally a challenging task since
> > iptables rules haven't yet run and tc filter/eBPF programs are
> > pre-NAT lookups, hence are unable to see internal IPv4 addresses as
> > used on the typical home masquerading gateway.
> >
> > The "ct dscpmark" conntrack statement solves the problem of storing
> > the DSCP to the conntrack mark in a way suitable for the new
> > act_ctinfo tc action to restore.
>
> Yes, but if someone else wants to store ip saddr or udp port or
> ifindex or whatever we need to extend this again.
>
> nft should be able to support:
>
> nft add rule inet filter forward ct mark set ip dscp
>
> (nft will reject this because types are different).
>
> Same for
>
> nft add rule inet filter forward ct mark set ip dscp << 16
>
> (nft will claim the shift is unsupported for a 8 bit type).
>
> We need a cast operator for this.  Something like
>
> nft add rule inet filter forward ct mark set typeof(ct mark) ip dscp
>
> or anything else that tells the parser that we really want the
> diffserv value to be assigned to a mark type.
>
> As far as I can see, no kernel changes would be reqired for this.
>
> A cheap starting point would be to try to get rid of the sanity test
> and make nft just accept the right-hand-side of 'ct mark set', then
> see how to best add an 'do this anyway' override in the grammar.
>
> I have older patches that adds a 'typeof' keyword for set definitions,
> maybe it could be used for this casting too.

These?

  https://lore.kernel.org/netfilter-devel/20190816144241.11469-1-fw@strlen.de/

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2019-12-09 23:23 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-24 14:23 [RFC PATCH 0/1] netfilter: xt_connmark: add savedscp-mark action Kevin 'ldir' Darbyshire-Bryant
2019-03-24 14:23 ` [PATCH 1/1] netfilter: connmark: introduce savedscp Kevin 'ldir' Darbyshire-Bryant
2019-04-08 22:39   ` Pablo Neira Ayuso
2019-04-08 23:16     ` Kevin 'ldir' Darbyshire-Bryant
2019-04-09 14:23       ` [RFC nf-next v2 0/2] xt_connmark: add savedscp-mark action Kevin 'ldir' Darbyshire-Bryant
2019-04-09 14:23         ` [RFC nf-next v2 1/2] netfilter: connmark: introduce savedscp Kevin 'ldir' Darbyshire-Bryant
2019-04-30 12:29           ` Pablo Neira Ayuso
2019-04-30 20:40             ` Kevin 'ldir' Darbyshire-Bryant
2019-04-09 14:23         ` [RFC nf-next 2/2] iptables: connmark - add savedscp option Kevin 'ldir' Darbyshire-Bryant
2019-12-03 16:06 ` [PATCH 0/1] netfilter: connmark: introduce set-dscpmark Kevin Darbyshire-Bryant
2019-12-03 16:06   ` [PATCH 1/1] " Kevin Darbyshire-Bryant
2019-12-09 23:57     ` Kevin 'ldir' Darbyshire-Bryant
2019-12-05  8:56   ` [PATCH 0/1] " Jeremy Sowden
2019-12-05  9:46     ` Kevin 'ldir' Darbyshire-Bryant
2019-12-06  8:54       ` Jeremy Sowden
2019-12-05 10:49     ` Florian Westphal
2019-12-05 22:00       ` Jeremy Sowden
2019-12-09 21:42   ` [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark Jeremy Sowden
2019-12-09 21:42     ` [RFC PATCH nftables] Add "ct dscpmark" conntrack statement Jeremy Sowden
2019-12-09 22:47     ` [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark Florian Westphal
2019-12-09 23:23       ` Jeremy Sowden [this message]
2019-12-10  1:25         ` Florian Westphal
2019-12-10 11:01           ` Jeremy Sowden
2019-12-10 11:32             ` Florian Westphal
2019-12-10 19:52               ` Jeremy Sowden
2019-12-11 13:01   ` [PATCH nf-next v2] netfilter: connmark: introduce set-dscpmark Kevin Darbyshire-Bryant

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191209232339.GA655861@azazel.net \
    --to=jeremy@azazel.net \
    --cc=fw@strlen.de \
    --cc=ldir@darbyshire-bryant.me.uk \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --subject='Re: [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).