[PATCH 1/6] firewall: Only check relevant bits for NAT fix rules

[PATCH 1/6] firewall: Only check relevant bits for NAT fix rules

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2819 bytes --]

In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/firewall/rules.pl        | 11 +++++++----
 src/initscripts/system/firewall |  8 +++++---
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 0dd1c9024..9d280045a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = (
 	"100.64.0.0/10",
 );
 
+# MARK masks
+my $NAT_MASK = 0x0f000000;
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -829,10 +832,8 @@ sub add_dnat_mangle_rules {
 	my $interface = shift;
 	my @options = @_;
 
-	my $mark = 0;
+	my $mark = 0x01000000;
 	foreach my $zone ("GREEN", "BLUE", "ORANGE") {
-		$mark++;
-
 		# Skip rule if not all required information exists.
 		next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
 		next unless (exists $defaultNetworks{$zone . "_NETMASK"});
@@ -845,9 +846,11 @@ sub add_dnat_mangle_rules {
 		$netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};
 
 		push(@mangle_options, ("-s", $netaddress, "-d", $nat_address));
-		push(@mangle_options, ("-j", "MARK", "--set-mark", $mark));
+		push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));
 
 		run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
+
+		$mark <<= 1;
 	}
 }
 
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index baa39abe1..9d023a349 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then
 	DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
 fi
 
+NAT_MASK="0x0f000000"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -282,17 +284,17 @@ iptables_init() {
 
 	if [ -n "${GREEN_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+			-m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}"
 	fi
 
 	if [ -n "${BLUE_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
+			-m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}"
 	fi
 
 	if [ -n "${ORANGE_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
+			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi
 
 	# RED chain, used for the red interface
-- 
2.31.0

[PATCH 2/6] QoS: Use the two right hand bytes to mark packets

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 10064 bytes --]

In order to not deal with any marks from NAT and the IPS, this patch
adds masks to all places where packets are being marked for individual
QoS classes.

Instead of being able to use the "fw" match in tc, we have to use the
u32 to apply the mask.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/qos/makeqosscripts.pl | 57 ++++++++++++++++++++++--------------
 1 file changed, 35 insertions(+), 22 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index cbbbf70f8..3af046ac3 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -56,6 +56,12 @@ my $portfile = "/var/ipfire/qos/portconfig";
 my $tosfile = "/var/ipfire/qos/tosconfig";
 my $fqcodel_options = "limit 10240 quantum 1514";
 
+# Define iptables MARKs
+my $QOS_INC_MASK = 0x0000ff00;
+my $QOS_INC_SHIFT = 8;
+my $QOS_OUT_MASK = 0x000000ff;
+my $QOS_OUT_SHIFT = 0;
+
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
 $qossettings{'ENABLED'} = 'off';
@@ -74,6 +80,10 @@ $qossettings{'VALID'} = 'yes';
 
 &General::readhash("${General::swroot}/qos/settings", \%qossettings);
 
+my $ACK_MARK = ($qossettings{'ACK'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
+my $DEF_OUT_MARK = ($qossettings{'DEFCLASS_OUT'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
+my $DEF_INC_MARK = ($qossettings{'DEFCLASS_INC'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK";
+
 open( FILE, "< $classfile" ) or die "Unable to read $classfile";
 @classes = <FILE>;
 close FILE;
@@ -200,9 +210,11 @@ foreach $classentry (sort @classes)
 	if ($qossettings{'RED_DEV'} eq $classline[0]) {
 		$qossettings{'DEVICE'} = $classline[0];
 		$qossettings{'CLASS'} = $classline[1];
-		print "\ttc filter add dev $qossettings{'DEVICE'} parent 1:0 prio 0 protocol ip handle $qossettings{'CLASS'} fw flowid 1:$qossettings{'CLASS'}\n";
+		print "\ttc filter add dev $qossettings{'DEVICE'} parent 1:0 prio 0 protocol ip";
+		printf(" u32 match mark 0x%x 0x%x flowid 1:%d\n", ($qossettings{'CLASS'} << $QOS_OUT_SHIFT), $QOS_OUT_MASK, $qossettings{'CLASS'});
 	}
 }
+
 print <<END
 
 	### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES
@@ -213,28 +225,28 @@ print <<END
 	iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
 
 	### MARK ACKs
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j RETURN
 
-	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j RETURN
 
-	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j RETURN
 
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j RETURN
 
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j RETURN
 
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j RETURN
 
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j RETURN
 
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-mark $qossettings{'ACK'}
+	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-xmark $ACK_MARK
 	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j RETURN
 
 	### SET TOS
@@ -247,7 +259,7 @@ END
 		$qossettings{'TOS'} = abs $tosruleline[2] * 2;
   		if ( $tosruleline[1] eq $qossettings{'RED_DEV'} )
   		{
-			print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
 			print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j RETURN\n";
 		}
 	}
@@ -282,7 +294,7 @@ print "\n\t### SET PORT-RULES\n";
 			if ($qossettings{'DPORT'} ne ''){
 				print "--dport $qossettings{'DPORT'} ";
 			}
-			print "-j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
 			print "\tiptables -t mangle -A QOS-OUT ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
@@ -326,7 +338,7 @@ END
 			if ($qossettings{'DIP'} ne ''){
 				print "-d $qossettings{'DIP'} ";
 			}
-			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-xmark " . $qossettings{'CLASS'} << $QOS_OUT_SHIFT . "/$QOS_OUT_MASK\n";
   			print "\tiptables -t mangle -A QOS-OUT ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
@@ -341,7 +353,7 @@ END
 print <<END
 
 	### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
-	iptables -t mangle -A QOS-OUT -m mark --mark 0 -j MARK --set-mark $qossettings{'DEFCLASS_OUT'}
+	iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK
 
 	###
 	### $qossettings{'IMQ_DEV'}
@@ -410,7 +422,8 @@ foreach $classentry (sort @classes)
 	if ($qossettings{'IMQ_DEV'} eq $classline[0]) {
 		$qossettings{'DEVICE'} = $classline[0];
 		$qossettings{'CLASS'} = $classline[1];
-		print "\ttc filter add dev $qossettings{'DEVICE'} parent 2:0 prio 0 protocol ip handle $qossettings{'CLASS'} fw flowid 2:$qossettings{'CLASS'}\n";
+		print "\ttc filter add dev $qossettings{'DEVICE'} parent 2:0 prio 0 protocol ip";
+		printf(" u32 match mark 0x%x 0x%x flowid 2:%d\n", ($qossettings{'CLASS'} << $QOS_INC_SHIFT), $QOS_INC_MASK, $qossettings{'CLASS'});
 	}
 }
 print <<END
@@ -420,7 +433,7 @@ print <<END
 	iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -j QOS-INC
 
 	# If the packet is already marked, then skip the processing
-	iptables -t mangle -A QOS-INC -m mark ! --mark 0 -j RETURN
+	iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j RETURN
 
 	### SET TOS
 END
@@ -432,7 +445,7 @@ END
 		$qossettings{'TOS'} = abs $tosruleline[2] * 2;
   		if ( $tosruleline[1] eq $qossettings{'IMQ_DEV'} )
   		{
-			print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 -m tos --tos $qossettings{'TOS'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "\tiptables -t mangle -A QOS-INC -m tos --tos $qossettings{'TOS'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n";
 		}
 
 	}
@@ -450,7 +463,7 @@ print "\n\t### SET PORT-RULES\n";
 			$qossettings{'QPORT'} = $portruleline[4];
 			$qossettings{'DIP'} = $portruleline[5];
 			$qossettings{'DPORT'} = $portruleline[6];
-			print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 ";
+			print "\tiptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
 			}
@@ -467,7 +480,7 @@ print "\n\t### SET PORT-RULES\n";
 			if ($qossettings{'DPORT'} ne ''){
 				print "--dport $qossettings{'DPORT'} ";
 			}
-			print "-j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n";
 		}
 	}
 
@@ -486,23 +499,23 @@ END
 			$qossettings{'L7PROT'} = $l7ruleline[2];
 			$qossettings{'QIP'} = $l7ruleline[3];
 			$qossettings{'DIP'} = $l7ruleline[4];
-			print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 ";
+			print "\tiptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
 			}
 			if ($qossettings{'DIP'} ne ''){
 				print "-d $qossettings{'DIP'} ";
 			}
-			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+			print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n";
   		}
   	}
 
 print <<END
 	### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
-	iptables -t mangle -A QOS-INC -m mark --mark 0 -m layer7 ! --l7proto unset -j MARK --set-mark $qossettings{'DEFCLASS_INC'}
+	iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK
 
 	# Save mark in connection tracking
-	iptables -t mangle -A QOS-INC -j CONNMARK --save-mark
+	iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
 
 	## STARTING COLLECTOR
 	/usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1
-- 
2.31.0

[PATCH 3/6] firewall: Always restore all connection marks

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1280 bytes --]

This was done by tc only when QoS was enabled

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/qos/makeqosscripts.pl    | 1 -
 src/initscripts/system/firewall | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 3af046ac3..5bdd5b811 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -370,7 +370,6 @@ print <<END
 	ip link set $qossettings{'IMQ_DEV'} up
 
 	tc filter add dev $qossettings{'RED_DEV'} parent ffff: protocol all u32 match u32 0 0 \\
-		action connmark \\
 		action mirred egress redirect dev $qossettings{'IMQ_DEV'}
 
 	### ADD HTB QDISC FOR $qossettings{'IMQ_DEV'}
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9d023a349..7a7d52d57 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -100,6 +100,9 @@ iptables_init() {
 	iptables -t raw -N CONNTRACK
 	iptables -t raw -A PREROUTING -j CONNTRACK
 
+	# Restore any connection marks
+	iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
+
 	# Fix for braindead ISPs
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
-- 
2.31.0

[PATCH 4/6] QoS: Drop support for hardcoded ACK rules

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 6034 bytes --]

This feature has to go in order to take advantage of CONNMARK which will
drastically decrease CPU load when passing packets.

We no longer will see every packet in the QOS-INC chain in order to
change classification of that packet. It is also party counter-intuitive
to have parts of one connection in one class and the corresponding ACK
packets in another.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/qos/makeqosscripts.pl | 27 ---------------------------
 html/cgi-bin/qos.cgi         | 22 ++--------------------
 2 files changed, 2 insertions(+), 47 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 5bdd5b811..230dc3265 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -72,7 +72,6 @@ $qossettings{'DEF_OUT_SPD'} = '';
 $qossettings{'DEF_INC_SPD'} = '';
 $qossettings{'DEFCLASS_INC'} = '';
 $qossettings{'DEFCLASS_OUT'} = '';
-$qossettings{'ACK'} = '';
 $qossettings{'RED_DEV'} = `cat /var/ipfire/red/iface`;
 $qossettings{'IMQ_DEV'} = 'imq0';
 $qossettings{'TOS'} = '';
@@ -80,7 +79,6 @@ $qossettings{'VALID'} = 'yes';
 
 &General::readhash("${General::swroot}/qos/settings", \%qossettings);
 
-my $ACK_MARK = ($qossettings{'ACK'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
 my $DEF_OUT_MARK = ($qossettings{'DEFCLASS_OUT'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
 my $DEF_INC_MARK = ($qossettings{'DEFCLASS_INC'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK";
 
@@ -224,31 +222,6 @@ print <<END
 	### Don't change mark on traffic for the ipsec tunnel
 	iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
 
-	### MARK ACKs
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j RETURN
-
-	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j RETURN
-
-	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j RETURN
-
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j RETURN
-
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j RETURN
-
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j RETURN
-
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j RETURN
-
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-xmark $ACK_MARK
-	iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j RETURN
-
 	### SET TOS
 END
 ;
diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index ab427879e..c2ff4a08d 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -68,7 +68,6 @@ $qossettings{'DEF_OUT_SPD'} = '';
 $qossettings{'DEF_INC_SPD'} = '';
 $qossettings{'DEFCLASS_INC'} = '';
 $qossettings{'DEFCLASS_OUT'} = '';
-$qossettings{'ACK'} = '';
 $qossettings{'RED_DEV'} = 'ppp0';
 $qossettings{'IMQ_DEV'} = 'imq0';
 $qossettings{'VALID'} = 'yes';
@@ -518,7 +517,6 @@ END
 		}
 		$qossettings{'DEFCLASS_INC'} = "210";
 		$qossettings{'DEFCLASS_OUT'} = "110";
-		$qossettings{'ACK'} ="101";
 		$qossettings{'ENABLED'} = 'on';
 		&General::writehash("${General::swroot}/qos/settings", \%qossettings);
 		&General::system("/usr/local/bin/qosctrl", "generate");
@@ -660,7 +658,7 @@ END
 END
 ;
 	}
-	if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')&& ($qossettings{'ACK'} ne '')) {
+	if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) {
 		print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<table width='66%'>
@@ -668,7 +666,6 @@ END
 		<tr><td width='50%' align='right'>$Lang::tr{'downlink std class'}: 	<td width='30%' align='left'>$qossettings{'DEFCLASS_INC'}
 		    <td width='20%' rowspan='3' align='center' valign='middle'><input type='submit' name='ACTIONDEF' value='$Lang::tr{'modify'}' />
 		<tr><td width='50%' align='right'>$Lang::tr{'uplink std class'}: 	<td width='30%' align='left'>$qossettings{'DEFCLASS_OUT'}
-		<tr><td width='50%' align='right'>ACKs:				<td width='30%' align='left'>$qossettings{'ACK'}
 	 	<tr><td colspan='3' width='100%'><hr />
 		<tr><td colspan='3' width='100%' align='center'>
 		</table>
@@ -692,7 +689,7 @@ if ( ($qossettings{'OUT_SPD'} eq '') || ($qossettings{'INC_SPD'} eq '') ) {
 	exit
 }
 
-if ( ($qossettings{'DEFCLASS_INC'} eq '') || ($qossettings{'DEFCLASS_OUT'} eq '') || ($qossettings{'ACK'} eq '') ) {
+if ( ($qossettings{'DEFCLASS_INC'} eq '') || ($qossettings{'DEFCLASS_OUT'} eq '') ) {
 	&changedefclasses();
 	&Header::closebigbox();
 	&Header::closepage();
@@ -742,21 +739,6 @@ END
 			else { print "<option selected value='$c'>$c</option>\n"; }
 		}
 		print <<END
-		</select><td width='33%' align='center'>&nbsp;
-		</table>
-		<hr />
-		<table width='66%'>
-		<tr><td width='100%' colspan='3'>$Lang::tr{'enter ack class'}
-		<tr><td width='33%' align='right'>ACKs:<td width='33%' align='left'><select name='ACK'>
-END
-;
-		for ( $c = 100 ; $c <= 120 ; $c++ )
-		{
-			if ( $qossettings{'ACK'} ne $c )
-			{ print "<option value='$c'>$c</option>\n"; }
-			else {	print "<option selected value='$c'>$c</option>\n"; }
-		}
-		print <<END
 		</select><td width='33%' align='center'><input type='submit' name='ACTION' value="$Lang::tr{'save'}" />
 		</table>
 		</form>
-- 
2.31.0

[PATCH 5/6] QoS: Make outgoing packet processing use CONNMARK

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3224 bytes --]

This will significantly reduce the load when classifying outgoing
traffic as there won't be any overhead as soon as the connection has
been classified. The classficiation is being stored in the iptables MARK
which will be copied to CONNMARK if changed.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/qos/makeqosscripts.pl | 30 +++++++++---------------------
 1 file changed, 9 insertions(+), 21 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 230dc3265..b1bb637b3 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -217,7 +217,10 @@ print <<END
 
 	### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES
 	iptables -t mangle -N QOS-OUT
-	iptables -t mangle -I POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+	iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+
+	# If the packet is already marked, then skip the processing
+	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN
 
 	### Don't change mark on traffic for the ipsec tunnel
 	iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
@@ -250,7 +253,7 @@ print "\n\t### SET PORT-RULES\n";
 			$qossettings{'QPORT'} = $portruleline[4];
 			$qossettings{'DIP'} = $portruleline[5];
 			$qossettings{'DPORT'} = $portruleline[6];
-			print "\tiptables -t mangle -A QOS-OUT ";
+			print "\tiptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
 			}
@@ -268,24 +271,6 @@ print "\n\t### SET PORT-RULES\n";
 				print "--dport $qossettings{'DPORT'} ";
 			}
 			print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
-			print "\tiptables -t mangle -A QOS-OUT ";
-			if ($qossettings{'QIP'} ne ''){
-				print "-s $qossettings{'QIP'} ";
-			}
-			if ($qossettings{'DIP'} ne ''){
-				print "-d $qossettings{'DIP'} ";
-			}
-			print "-p $qossettings{'PPROT'} ";
-#			if (($qossettings{'QPORT'} ne '') || ($qossettings{'DPORT'} ne '')){
-#				print "-m multiport ";
-#			}
-			if ($qossettings{'QPORT'} ne ''){
-				print "--sport $qossettings{'QPORT'} ";
-			}
-			if ($qossettings{'DPORT'} ne ''){
-				print "--dport $qossettings{'DPORT'} ";
-			}
-			print "-j RETURN\n\n";
 		}
 	}
 
@@ -328,6 +313,9 @@ print <<END
 	### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
 	iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK
 
+	# Save mark in connection tracking
+	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j CONNMARK --save-mark
+
 	###
 	### $qossettings{'IMQ_DEV'}
 	###
@@ -487,7 +475,7 @@ print <<END
 	iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK
 
 	# Save mark in connection tracking
-	iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
+	iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
 
 	## STARTING COLLECTOR
 	/usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1
-- 
2.31.0

[PATCH 6/6] IPsec: Replace MARK 50 by 0x00800000

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5789 bytes --]

This change is necessary because we are using the right-hand two bytes
for storing the QoS classes.

All IPsec traffic will now be skipped and never classified by the QoS.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/qos/makeqosscripts.pl        | 10 +++++-----
 src/initscripts/system/firewall     |  7 +++++--
 src/patches/strongswan-ipfire.patch | 12 ++++++------
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index b1bb637b3..fc8b8b84f 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -61,6 +61,9 @@ my $QOS_INC_MASK = 0x0000ff00;
 my $QOS_INC_SHIFT = 8;
 my $QOS_OUT_MASK = 0x000000ff;
 my $QOS_OUT_SHIFT = 0;
+my $IPSEC_MASK = 0x00800000;
+my $QOS_INC_SKIP_MASK = $QOS_INC_MASK | $IPSEC_MASK;
+my $QOS_OUT_SKIP_MASK = $QOS_OUT_MASK | $IPSEC_MASK;
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
@@ -220,10 +223,7 @@ print <<END
 	iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
 
 	# If the packet is already marked, then skip the processing
-	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN
-
-	### Don't change mark on traffic for the ipsec tunnel
-	iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
+	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_SKIP_MASK -j RETURN
 
 	### SET TOS
 END
@@ -393,7 +393,7 @@ print <<END
 	iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -j QOS-INC
 
 	# If the packet is already marked, then skip the processing
-	iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j RETURN
+	iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_SKIP_MASK -j RETURN
 
 	### SET TOS
 END
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 7a7d52d57..ce428393d 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -14,6 +14,9 @@ fi
 
 NAT_MASK="0x0f000000"
 
+IPSEC_MARK="0x00800000"
+IPSEC_MASK="${IPSEC_MARK}"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -376,8 +379,8 @@ iptables_red_up() {
 			iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
 		fi
 
-		# Outgoing masquerading (don't masqerade IPsec (mark 50))
-		iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+		# Outgoing masquerading (don't masqerade IPsec)
+		iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN
 
 		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 7071983b8..17c40b025 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -42,7 +42,7 @@
 +	iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 -	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
  	#
  	# allow IPIP traffic because of the implicit SA created by the kernel if
  	# IPComp is used (for small inbound packets that are not compressed)
@@ -71,7 +71,7 @@
 +	iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 -	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
  	#
  	# IPIP exception teardown
  	if [ -n "$PLUTO_IPCOMP" ]
@@ -97,7 +97,7 @@
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 -	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
 +	  iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 -	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -117,7 +117,7 @@
 +	  iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 -	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
  	fi
  	#
  	# allow IPIP traffic because of the implicit SA created by the kernel if
@@ -194,7 +194,7 @@
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 -	         $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	         $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
 +	  iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
@@ -217,7 +217,7 @@
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 -	         $IPSEC_POLICY_OUT -j ACCEPT
-+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
++	         $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
  	fi
  	#
  	# IPIP exception teardown
-- 
2.31.0