tc-ctinfo(8) - phpMan

ctinfo action in tc(8) Linux ctinfo action in tc(8)

NAME
ctinfo - tc connmark processing action

SYNOPSIS
tc ... action ctinfo [ dscp MASK [STATEMASK] ] [ cpmark [MASK] ] [ zone ZONE ] [ CONTROL ]
[ index <INDEX> ]

DESCRIPTION
CTINFO (Conntrack Information) is a tc action for retrieving data from conntrack marks
into various fields. At present it has two independent processing modes which may be
viewed as sub-functions.

DSCP mode copies a DSCP stored in conntrack's connmark into the IPv4/v6 diffserv field.
The copying may conditionally occur based on a flag also stored in the connmark. DSCP
mode was designed to assist in restoring packet classifications on ingress, classifica-
tions which may then be used by qdiscs such as CAKE. It may be used in any circumstance
where ingress classification needs to be maintained across links that otherwise bleach or
remap according to their own policies.

CPMARK (copymark) mode copies the conntrack connmark into the packet's mark field. With-
out additional parameters it is functionally completely equivalent to the existing conn-
mark action. An optional mask may be specified to mask which bits of the connmark are re-
stored. This may be useful when DSCP and CPMARK modes are combined.

Simple statistics (tc -s) on DSCP restores and CPMARK copies are maintained where values
for set indicate a count of packets altered for that mode. DSCP includes an error count
where the destination packet's diffserv field was unwriteable.

PARAMETERS
DSCP mode parameters:
mask A mask of 6 contiguous bits indicating where the DSCP value is located in the 32
bit conntrack mark field. A mask must be provided for this mode. mask is a 32 bit
unsigned value.

statemask
A mask of at least 1 bit indicating where a conditional restore flag is located in
the 32 bit conntrack mark field. The statemask bit/s must NOT overlap the mask
bits. The DSCP will be restored if the conntrack mark logically ANDed with the
statemask yields a non-zero result. statemask is an optional unsigned 32 bit
value.

CPMARK mode parameters:
mask Store the logically ANDed result of conntrack mark and mask into the packet's mark
field. Default is 0xffffffff i.e. the whole mark field. mask is an optional un-
signed 32 bit value

Overall action parameters:
zone Specify the conntrack zone when doing conntrack lookups for packets. zone is a
16bit unsigned decimal value. Default is 0.

CONTROL
The following keywords allow to control how the tree of qdisc, classes, filters and
actions is further traversed after this action.

reclassify
Restart with the first filter in the current list.

pipe Continue with the next action attached to the same filter.

drop Drop the packet.

shot synonym for drop

continue
Continue classification with the next filter in line.

pass Finish classification process and return to calling qdisc for further packet
processing. This is the default.

index Specify an index for this action in order to being able to identify it in later
commands. index is a 32bit unsigned decimal value.

EXAMPLES
Example showing conditional restoration of DSCP on ingress via an IFB

#Set up the IFB interface
tc qdisc add dev ifb4eth0 handle ffff: ingress

#Put CAKE qdisc on it
tc qdisc add dev ifb4eth0 root cake bandwidth 40mbit

#Set interface UP
ip link set dev ifb4eth0 up

#Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB
tc filter add dev eth0 parent ffff: protocol all prio 10 u32 \
match u32 0 0 flowid 1:1 action \
ctinfo dscp 0xfc000000 0x01000000 \
mirred egress redirect dev ifb4eth0

tc -s qdisc show dev eth0 ingress

filter parent ffff: protocol all pref 10 u32 chain 0
filter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
filter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
match 00000000/00000000 at 0
action order 1: ctinfo zone 0 pipe
index 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0
Action statistics:
Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

action order 2: mirred (Egress Redirect to device ifb4eth0) stolen
index 1 ref 1 bind 1 installed 72 sec used 0 sec
Action statistics:
Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

Example showing conditional restoration of DSCP on egress

This may appear nonsensical since iptables marking of egress packets is easy to achieve,
however the iptables flow classification rules may be extensive and so some sort of set
once and forget may be useful especially on cpu constrained devices.

# Send unmarked connections to a marking chain which needs to store a DSCP
and set statemask bit in the connmark
iptables -t mangle -A POSTROUTING -o eth0 -m connmark \
--mark 0x00000000/0x01000000 -g CLASS_MARKING_CHAIN

# Apply marked DSCP to the packets
tc filter add dev eth0 protocol all prio 10 u32 \
match u32 0 0 flowid 1:1 action \
ctinfo dscp 0xfc000000 0x01000000

tc -s filter show dev eth0
filter parent 800e: protocol all pref 10 u32 chain 0
filter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1
filter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 not_in_hw
match 00000000/00000000 at 0
action order 1: ctinfo zone 0 pipe
index 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0
Action statistics:
Sent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

SEE ALSO
tc(8), tc-cake(8) tc-connmark(8) tc-mirred(8)

AUTHORS
ctinfo was written by Kevin Darbyshire-Bryant.

iproute2 4 Jun 2019 ctinfo action in tc(8)

Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2025-01-15 05:34 @3.128.205.187 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)