From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 12/17] QoS: Use CLASSIFY iptables target instead of MARK
Date: Mon, 14 Oct 2019 16:46:22 +0000
Message-ID: <20191014164627.18516-12-michael.tremer@ipfire.org>
In-Reply-To: <20191014164627.18516-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0281791325189072404=="
List-Id: <development.lists.ipfire.org>

--===============0281791325189072404==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

We have been running into loads of conflicts by using MARK for
various components on the OS (suricata, IPsec, QoS, ...) which
was sometimes hard to resolve.

iptables comes with a target which directly sorts packets into
the correct class which results in less code and not using the
mark.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/qos/makeqosscripts.pl | 41 ++++++++++++++----------------------
 1 file changed, 16 insertions(+), 25 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 1d6930baa..7d680151b 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -262,34 +262,34 @@ print <<END
=20
 	### MARK ACKs
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j TOS --set-t=
os 4
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-=
mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j CLASSIFY --=
set-class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j RETURN
=20
-	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --s=
et-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j CLASSIFY=
 --set-class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j RETURN
=20
 	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j TOS =
--set-tos 4
-	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK=
 --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j CLAS=
SIFY --set-class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j RETU=
RN
=20
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --le=
ngth 40:68 -j TOS --set-tos 4
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --le=
ngth 40:68 -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --le=
ngth 40:68 -j CLASSIFY --set-class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --le=
ngth 40:68 -j RETURN
=20
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length=
 40:100 -j TOS --set-tos 4
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length=
 40:100 -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length=
 40:100 -j CLASSIFY --set-class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length=
 40:100 -j RETURN
=20
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j TOS --set-tos 4
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-mark=
 $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j CLASSIFY --set-=
class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j RETURN
=20
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j TOS --set-t=
os 4
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-=
mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --=
set-class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j RETURN
=20
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j TOS --set-t=
os 4
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-=
mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --=
set-class 1:$qossettings{'ACK'}
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j RETURN
=20
 	### SET TOS
@@ -302,7 +302,7 @@ END
 		$qossettings{'TOS'} =3D abs $tosruleline[2] * 2;
   		if ( $tosruleline[1] eq $qossettings{'RED_DEV'} )
   		{
-			print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -=
j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -=
j CLASSIFY --set-class 1:$qossettings{'CLASS'}\n";
 			print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -=
j RETURN\n";
 		}
 	}
@@ -337,7 +337,7 @@ print "\n\t### SET PORT-RULES\n";
 			if ($qossettings{'DPORT'} ne ''){
 				print "--dport $qossettings{'DPORT'} ";
 			}
-			print "-j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-j CLASSIFY --set-class 1:$qossettings{'CLASS'}\n";
 			print "\tiptables -t mangle -A QOS-OUT ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
@@ -381,7 +381,7 @@ END
 			if ($qossettings{'DIP'} ne ''){
 				print "-d $qossettings{'DIP'} ";
 			}
-			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettin=
gs{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettin=
gs{'L7PROT'} -j CLASSIFY --set-class 1:$qossettings{'CLASS'}\n";
   			print "\tiptables -t mangle -A QOS-OUT ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
@@ -396,7 +396,7 @@ END
 print <<END
=20
 	### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
-	iptables -t mangle -A QOS-OUT -m mark --mark 0 -j MARK --set-mark $qossetti=
ngs{'DEFCLASS_OUT'}
+	iptables -t mangle -A QOS-OUT -j CLASSIFY --set-class 1:$qossettings{'DEFCL=
ASS_OUT'}
=20
 	###
 	### $qossettings{'IMQ_DEV'}
@@ -511,9 +511,6 @@ print <<END
=20
 	### ADD QOS-INC CHAIN TO THE MANGLE TABLE IN IPTABLES
 	iptables -t mangle -N QOS-INC
-	iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -p ah -j RETURN
-	iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -p esp -j RETURN
-	iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -p ip -j RETURN
 	iptables -t mangle -A FORWARD -i $qossettings{'RED_DEV'} -j QOS-INC
 	iptables -t mangle -A FORWARD -i $qossettings{'RED_DEV'} -j QOS-TOS
=20
@@ -527,7 +524,7 @@ END
 		$qossettings{'TOS'} =3D abs $tosruleline[2] * 2;
   		if ( $tosruleline[1] eq $qossettings{'IMQ_DEV'} )
   		{
-			print "\tiptables -t mangle -A QOS-INC -m tos --tos $qossettings{'TOS'} -=
j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "\tiptables -t mangle -A QOS-INC -m tos --tos $qossettings{'TOS'} -=
j CLASSIFY --set-class 2:$qossettings{'CLASS'}\n";
 			print "\tiptables -t mangle -A QOS-INC -m tos --tos $qossettings{'TOS'} -=
j RETURN\n";
 		}
=20
@@ -563,7 +560,7 @@ print "\n\t### SET PORT-RULES\n";
 			if ($qossettings{'DPORT'} ne ''){
 				print "--dport $qossettings{'DPORT'} ";
 			}
-			print "-j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-j CLASSIFY --set-class 2:$qossettings{'CLASS'}\n";
 			print "\tiptables -t mangle -A QOS-INC ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
@@ -607,7 +604,7 @@ END
 			if ($qossettings{'DIP'} ne ''){
 				print "-d $qossettings{'DIP'} ";
 			}
-			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettin=
gs{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettin=
gs{'L7PROT'} -j CLASSIFY --set-class 2:$qossettings{'CLASS'}\n";
   			print "\tiptables -t mangle -A QOS-INC ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
@@ -621,7 +618,7 @@ END
=20
 print <<END
 	### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
-	iptables -t mangle -A QOS-INC -m mark --mark 0 -j MARK --set-mark $qossetti=
ngs{'DEFCLASS_INC'}
+	iptables -t mangle -A QOS-INC -j CLASSIFY --set-class 2:$qossettings{'DEFCL=
ASS_INC'}
=20
 	### SETTING TOS BITS
 END
@@ -677,12 +674,6 @@ print <<END
 	ip link del $qossettings{'IMQ_DEV'} >/dev/null 2>&1
=20
 	# REMOVE & FLUSH CHAINS
-	iptables -t mangle --delete POSTROUTING -i $qossettings{'RED_DEV'} -p ah -j=
 RETURN >/dev/null 2>&1
-	iptables -t mangle --delete POSTROUTING -i $qossettings{'RED_DEV'} -p esp -=
j RETURN >/dev/null 2>&1
-	iptables -t mangle --delete POSTROUTING -i $qossettings{'RED_DEV'} -p ip -j=
 RETURN >/dev/null 2>&1
-	iptables -t mangle --delete PREROUTING -i $qossettings{'RED_DEV'} -p ah -j =
RETURN >/dev/null 2>&1
-	iptables -t mangle --delete PREROUTING -i $qossettings{'RED_DEV'} -p esp -j=
 RETURN >/dev/null 2>&1
-	iptables -t mangle --delete PREROUTING -i $qossettings{'RED_DEV'} -p ip -j =
RETURN >/dev/null 2>&1
 	iptables -t mangle --delete POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-O=
UT >/dev/null 2>&1
 	iptables -t mangle --delete POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-T=
OS >/dev/null 2>&1
 	iptables -t mangle --delete FORWARD -i $qossettings{'RED_DEV'} -j QOS-INC >=
/dev/null 2>&1
--=20
2.20.1


--===============0281791325189072404==--