From: Jeremy Sowden <email@example.com> To: Florian Westphal <firstname.lastname@example.org> Cc: Pablo Neira Ayuso <email@example.com>, Netfilter Devel <firstname.lastname@example.org>, Kevin Darbyshire-Bryant <email@example.com> Subject: Re: [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark. Date: Mon, 9 Dec 2019 23:23:39 +0000 [thread overview] Message-ID: <20191209232339.GA655861@azazel.net> (raw) In-Reply-To: <20191209224710.GI795@breakpoint.cc> [-- Attachment #1: Type: text/plain, Size: 2077 bytes --] On 2019-12-09, at 23:47:10 +0100, Florian Westphal wrote: > Jeremy Sowden wrote: > > "ct dscpmark" is a method of storing the DSCP of an ip packet into > > the conntrack mark. In combination with a suitable tc filter action > > (act_ctinfo) DSCP values are able to be stored in the mark on egress > > and restored on ingress across links that otherwise alter or bleach > > DSCP. > > > > This is useful for qdiscs such as CAKE which are able to shape > > according to policies based on DSCP. > > > > Ingress classification is traditionally a challenging task since > > iptables rules haven't yet run and tc filter/eBPF programs are > > pre-NAT lookups, hence are unable to see internal IPv4 addresses as > > used on the typical home masquerading gateway. > > > > The "ct dscpmark" conntrack statement solves the problem of storing > > the DSCP to the conntrack mark in a way suitable for the new > > act_ctinfo tc action to restore. > > Yes, but if someone else wants to store ip saddr or udp port or > ifindex or whatever we need to extend this again. > > nft should be able to support: > > nft add rule inet filter forward ct mark set ip dscp > > (nft will reject this because types are different). > > Same for > > nft add rule inet filter forward ct mark set ip dscp << 16 > > (nft will claim the shift is unsupported for a 8 bit type). > > We need a cast operator for this. Something like > > nft add rule inet filter forward ct mark set typeof(ct mark) ip dscp > > or anything else that tells the parser that we really want the > diffserv value to be assigned to a mark type. > > As far as I can see, no kernel changes would be reqired for this. > > A cheap starting point would be to try to get rid of the sanity test > and make nft just accept the right-hand-side of 'ct mark set', then > see how to best add an 'do this anyway' override in the grammar. > > I have older patches that adds a 'typeof' keyword for set definitions, > maybe it could be used for this casting too. These? https://firstname.lastname@example.org/ J. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-12-09 23:23 UTC|newest] Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-24 14:23 [RFC PATCH 0/1] netfilter: xt_connmark: add savedscp-mark action Kevin 'ldir' Darbyshire-Bryant 2019-03-24 14:23 ` [PATCH 1/1] netfilter: connmark: introduce savedscp Kevin 'ldir' Darbyshire-Bryant 2019-04-08 22:39 ` Pablo Neira Ayuso 2019-04-08 23:16 ` Kevin 'ldir' Darbyshire-Bryant 2019-04-09 14:23 ` [RFC nf-next v2 0/2] xt_connmark: add savedscp-mark action Kevin 'ldir' Darbyshire-Bryant 2019-04-09 14:23 ` [RFC nf-next v2 1/2] netfilter: connmark: introduce savedscp Kevin 'ldir' Darbyshire-Bryant 2019-04-30 12:29 ` Pablo Neira Ayuso 2019-04-30 20:40 ` Kevin 'ldir' Darbyshire-Bryant 2019-04-09 14:23 ` [RFC nf-next 2/2] iptables: connmark - add savedscp option Kevin 'ldir' Darbyshire-Bryant 2019-12-03 16:06 ` [PATCH 0/1] netfilter: connmark: introduce set-dscpmark Kevin Darbyshire-Bryant 2019-12-03 16:06 ` [PATCH 1/1] " Kevin Darbyshire-Bryant 2019-12-09 23:57 ` Kevin 'ldir' Darbyshire-Bryant 2019-12-05 8:56 ` [PATCH 0/1] " Jeremy Sowden 2019-12-05 9:46 ` Kevin 'ldir' Darbyshire-Bryant 2019-12-06 8:54 ` Jeremy Sowden 2019-12-05 10:49 ` Florian Westphal 2019-12-05 22:00 ` Jeremy Sowden 2019-12-09 21:42 ` [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark Jeremy Sowden 2019-12-09 21:42 ` [RFC PATCH nftables] Add "ct dscpmark" conntrack statement Jeremy Sowden 2019-12-09 22:47 ` [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark Florian Westphal 2019-12-09 23:23 ` Jeremy Sowden [this message] 2019-12-10 1:25 ` Florian Westphal 2019-12-10 11:01 ` Jeremy Sowden 2019-12-10 11:32 ` Florian Westphal 2019-12-10 19:52 ` Jeremy Sowden 2019-12-11 13:01 ` [PATCH nf-next v2] netfilter: connmark: introduce set-dscpmark Kevin Darbyshire-Bryant
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20191209232339.GA655861@azazel.net \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark.' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).