* [PATCH 2/6] QoS: Use the two right hand bytes to mark packets
2021-10-04 17:52 [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules Michael Tremer
@ 2021-10-04 17:52 ` Michael Tremer
2021-10-04 17:52 ` [PATCH 3/6] firewall: Always restore all connection marks Michael Tremer
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tremer @ 2021-10-04 17:52 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 10064 bytes --]
In order to not deal with any marks from NAT and the IPS, this patch
adds masks to all places where packets are being marked for individual
QoS classes.
Instead of being able to use the "fw" match in tc, we have to use the
u32 to apply the mask.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/qos/makeqosscripts.pl | 57 ++++++++++++++++++++++--------------
1 file changed, 35 insertions(+), 22 deletions(-)
diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index cbbbf70f8..3af046ac3 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -56,6 +56,12 @@ my $portfile = "/var/ipfire/qos/portconfig";
my $tosfile = "/var/ipfire/qos/tosconfig";
my $fqcodel_options = "limit 10240 quantum 1514";
+# Define iptables MARKs
+my $QOS_INC_MASK = 0x0000ff00;
+my $QOS_INC_SHIFT = 8;
+my $QOS_OUT_MASK = 0x000000ff;
+my $QOS_OUT_SHIFT = 0;
+
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
$qossettings{'ENABLED'} = 'off';
@@ -74,6 +80,10 @@ $qossettings{'VALID'} = 'yes';
&General::readhash("${General::swroot}/qos/settings", \%qossettings);
+my $ACK_MARK = ($qossettings{'ACK'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
+my $DEF_OUT_MARK = ($qossettings{'DEFCLASS_OUT'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
+my $DEF_INC_MARK = ($qossettings{'DEFCLASS_INC'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK";
+
open( FILE, "< $classfile" ) or die "Unable to read $classfile";
@classes = <FILE>;
close FILE;
@@ -200,9 +210,11 @@ foreach $classentry (sort @classes)
if ($qossettings{'RED_DEV'} eq $classline[0]) {
$qossettings{'DEVICE'} = $classline[0];
$qossettings{'CLASS'} = $classline[1];
- print "\ttc filter add dev $qossettings{'DEVICE'} parent 1:0 prio 0 protocol ip handle $qossettings{'CLASS'} fw flowid 1:$qossettings{'CLASS'}\n";
+ print "\ttc filter add dev $qossettings{'DEVICE'} parent 1:0 prio 0 protocol ip";
+ printf(" u32 match mark 0x%x 0x%x flowid 1:%d\n", ($qossettings{'CLASS'} << $QOS_OUT_SHIFT), $QOS_OUT_MASK, $qossettings{'CLASS'});
}
}
+
print <<END
### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES
@@ -213,28 +225,28 @@ print <<END
iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
### MARK ACKs
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j RETURN
- iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j RETURN
- iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j RETURN
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j RETURN
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j RETURN
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j RETURN
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j RETURN
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-mark $qossettings{'ACK'}
+ iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-xmark $ACK_MARK
iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j RETURN
### SET TOS
@@ -247,7 +259,7 @@ END
$qossettings{'TOS'} = abs $tosruleline[2] * 2;
if ( $tosruleline[1] eq $qossettings{'RED_DEV'} )
{
- print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+ print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j RETURN\n";
}
}
@@ -282,7 +294,7 @@ print "\n\t### SET PORT-RULES\n";
if ($qossettings{'DPORT'} ne ''){
print "--dport $qossettings{'DPORT'} ";
}
- print "-j MARK --set-mark $qossettings{'CLASS'}\n";
+ print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
print "\tiptables -t mangle -A QOS-OUT ";
if ($qossettings{'QIP'} ne ''){
print "-s $qossettings{'QIP'} ";
@@ -326,7 +338,7 @@ END
if ($qossettings{'DIP'} ne ''){
print "-d $qossettings{'DIP'} ";
}
- print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+ print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-xmark " . $qossettings{'CLASS'} << $QOS_OUT_SHIFT . "/$QOS_OUT_MASK\n";
print "\tiptables -t mangle -A QOS-OUT ";
if ($qossettings{'QIP'} ne ''){
print "-s $qossettings{'QIP'} ";
@@ -341,7 +353,7 @@ END
print <<END
### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
- iptables -t mangle -A QOS-OUT -m mark --mark 0 -j MARK --set-mark $qossettings{'DEFCLASS_OUT'}
+ iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK
###
### $qossettings{'IMQ_DEV'}
@@ -410,7 +422,8 @@ foreach $classentry (sort @classes)
if ($qossettings{'IMQ_DEV'} eq $classline[0]) {
$qossettings{'DEVICE'} = $classline[0];
$qossettings{'CLASS'} = $classline[1];
- print "\ttc filter add dev $qossettings{'DEVICE'} parent 2:0 prio 0 protocol ip handle $qossettings{'CLASS'} fw flowid 2:$qossettings{'CLASS'}\n";
+ print "\ttc filter add dev $qossettings{'DEVICE'} parent 2:0 prio 0 protocol ip";
+ printf(" u32 match mark 0x%x 0x%x flowid 2:%d\n", ($qossettings{'CLASS'} << $QOS_INC_SHIFT), $QOS_INC_MASK, $qossettings{'CLASS'});
}
}
print <<END
@@ -420,7 +433,7 @@ print <<END
iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -j QOS-INC
# If the packet is already marked, then skip the processing
- iptables -t mangle -A QOS-INC -m mark ! --mark 0 -j RETURN
+ iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j RETURN
### SET TOS
END
@@ -432,7 +445,7 @@ END
$qossettings{'TOS'} = abs $tosruleline[2] * 2;
if ( $tosruleline[1] eq $qossettings{'IMQ_DEV'} )
{
- print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 -m tos --tos $qossettings{'TOS'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+ print "\tiptables -t mangle -A QOS-INC -m tos --tos $qossettings{'TOS'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n";
}
}
@@ -450,7 +463,7 @@ print "\n\t### SET PORT-RULES\n";
$qossettings{'QPORT'} = $portruleline[4];
$qossettings{'DIP'} = $portruleline[5];
$qossettings{'DPORT'} = $portruleline[6];
- print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 ";
+ print "\tiptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK ";
if ($qossettings{'QIP'} ne ''){
print "-s $qossettings{'QIP'} ";
}
@@ -467,7 +480,7 @@ print "\n\t### SET PORT-RULES\n";
if ($qossettings{'DPORT'} ne ''){
print "--dport $qossettings{'DPORT'} ";
}
- print "-j MARK --set-mark $qossettings{'CLASS'}\n";
+ print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n";
}
}
@@ -486,23 +499,23 @@ END
$qossettings{'L7PROT'} = $l7ruleline[2];
$qossettings{'QIP'} = $l7ruleline[3];
$qossettings{'DIP'} = $l7ruleline[4];
- print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 ";
+ print "\tiptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK ";
if ($qossettings{'QIP'} ne ''){
print "-s $qossettings{'QIP'} ";
}
if ($qossettings{'DIP'} ne ''){
print "-d $qossettings{'DIP'} ";
}
- print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n";
+ print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n";
}
}
print <<END
### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
- iptables -t mangle -A QOS-INC -m mark --mark 0 -m layer7 ! --l7proto unset -j MARK --set-mark $qossettings{'DEFCLASS_INC'}
+ iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK
# Save mark in connection tracking
- iptables -t mangle -A QOS-INC -j CONNMARK --save-mark
+ iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
## STARTING COLLECTOR
/usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1
--
2.31.0
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH 3/6] firewall: Always restore all connection marks
2021-10-04 17:52 [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules Michael Tremer
2021-10-04 17:52 ` [PATCH 2/6] QoS: Use the two right hand bytes to mark packets Michael Tremer
@ 2021-10-04 17:52 ` Michael Tremer
2021-10-04 17:52 ` [PATCH 4/6] QoS: Drop support for hardcoded ACK rules Michael Tremer
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tremer @ 2021-10-04 17:52 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1280 bytes --]
This was done by tc only when QoS was enabled
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/qos/makeqosscripts.pl | 1 -
src/initscripts/system/firewall | 3 +++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 3af046ac3..5bdd5b811 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -370,7 +370,6 @@ print <<END
ip link set $qossettings{'IMQ_DEV'} up
tc filter add dev $qossettings{'RED_DEV'} parent ffff: protocol all u32 match u32 0 0 \\
- action connmark \\
action mirred egress redirect dev $qossettings{'IMQ_DEV'}
### ADD HTB QDISC FOR $qossettings{'IMQ_DEV'}
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9d023a349..7a7d52d57 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -100,6 +100,9 @@ iptables_init() {
iptables -t raw -N CONNTRACK
iptables -t raw -A PREROUTING -j CONNTRACK
+ # Restore any connection marks
+ iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
+
# Fix for braindead ISPs
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
--
2.31.0
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH 4/6] QoS: Drop support for hardcoded ACK rules
2021-10-04 17:52 [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules Michael Tremer
2021-10-04 17:52 ` [PATCH 2/6] QoS: Use the two right hand bytes to mark packets Michael Tremer
2021-10-04 17:52 ` [PATCH 3/6] firewall: Always restore all connection marks Michael Tremer
@ 2021-10-04 17:52 ` Michael Tremer
2021-10-04 17:52 ` [PATCH 5/6] QoS: Make outgoing packet processing use CONNMARK Michael Tremer
2021-10-04 17:52 ` [PATCH 6/6] IPsec: Replace MARK 50 by 0x00800000 Michael Tremer
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tremer @ 2021-10-04 17:52 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 6034 bytes --]
This feature has to go in order to take advantage of CONNMARK which will
drastically decrease CPU load when passing packets.
We no longer will see every packet in the QOS-INC chain in order to
change classification of that packet. It is also party counter-intuitive
to have parts of one connection in one class and the corresponding ACK
packets in another.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/qos/makeqosscripts.pl | 27 ---------------------------
html/cgi-bin/qos.cgi | 22 ++--------------------
2 files changed, 2 insertions(+), 47 deletions(-)
diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 5bdd5b811..230dc3265 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -72,7 +72,6 @@ $qossettings{'DEF_OUT_SPD'} = '';
$qossettings{'DEF_INC_SPD'} = '';
$qossettings{'DEFCLASS_INC'} = '';
$qossettings{'DEFCLASS_OUT'} = '';
-$qossettings{'ACK'} = '';
$qossettings{'RED_DEV'} = `cat /var/ipfire/red/iface`;
$qossettings{'IMQ_DEV'} = 'imq0';
$qossettings{'TOS'} = '';
@@ -80,7 +79,6 @@ $qossettings{'VALID'} = 'yes';
&General::readhash("${General::swroot}/qos/settings", \%qossettings);
-my $ACK_MARK = ($qossettings{'ACK'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
my $DEF_OUT_MARK = ($qossettings{'DEFCLASS_OUT'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK";
my $DEF_INC_MARK = ($qossettings{'DEFCLASS_INC'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK";
@@ -224,31 +222,6 @@ print <<END
### Don't change mark on traffic for the ipsec tunnel
iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
- ### MARK ACKs
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j RETURN
-
- iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j RETURN
-
- iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j RETURN
-
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j RETURN
-
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j RETURN
-
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j RETURN
-
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j RETURN
-
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-xmark $ACK_MARK
- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j RETURN
-
### SET TOS
END
;
diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index ab427879e..c2ff4a08d 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -68,7 +68,6 @@ $qossettings{'DEF_OUT_SPD'} = '';
$qossettings{'DEF_INC_SPD'} = '';
$qossettings{'DEFCLASS_INC'} = '';
$qossettings{'DEFCLASS_OUT'} = '';
-$qossettings{'ACK'} = '';
$qossettings{'RED_DEV'} = 'ppp0';
$qossettings{'IMQ_DEV'} = 'imq0';
$qossettings{'VALID'} = 'yes';
@@ -518,7 +517,6 @@ END
}
$qossettings{'DEFCLASS_INC'} = "210";
$qossettings{'DEFCLASS_OUT'} = "110";
- $qossettings{'ACK'} ="101";
$qossettings{'ENABLED'} = 'on';
&General::writehash("${General::swroot}/qos/settings", \%qossettings);
&General::system("/usr/local/bin/qosctrl", "generate");
@@ -660,7 +658,7 @@ END
END
;
}
- if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')&& ($qossettings{'ACK'} ne '')) {
+ if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) {
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='66%'>
@@ -668,7 +666,6 @@ END
<tr><td width='50%' align='right'>$Lang::tr{'downlink std class'}: <td width='30%' align='left'>$qossettings{'DEFCLASS_INC'}
<td width='20%' rowspan='3' align='center' valign='middle'><input type='submit' name='ACTIONDEF' value='$Lang::tr{'modify'}' />
<tr><td width='50%' align='right'>$Lang::tr{'uplink std class'}: <td width='30%' align='left'>$qossettings{'DEFCLASS_OUT'}
- <tr><td width='50%' align='right'>ACKs: <td width='30%' align='left'>$qossettings{'ACK'}
<tr><td colspan='3' width='100%'><hr />
<tr><td colspan='3' width='100%' align='center'>
</table>
@@ -692,7 +689,7 @@ if ( ($qossettings{'OUT_SPD'} eq '') || ($qossettings{'INC_SPD'} eq '') ) {
exit
}
-if ( ($qossettings{'DEFCLASS_INC'} eq '') || ($qossettings{'DEFCLASS_OUT'} eq '') || ($qossettings{'ACK'} eq '') ) {
+if ( ($qossettings{'DEFCLASS_INC'} eq '') || ($qossettings{'DEFCLASS_OUT'} eq '') ) {
&changedefclasses();
&Header::closebigbox();
&Header::closepage();
@@ -742,21 +739,6 @@ END
else { print "<option selected value='$c'>$c</option>\n"; }
}
print <<END
- </select><td width='33%' align='center'>
- </table>
- <hr />
- <table width='66%'>
- <tr><td width='100%' colspan='3'>$Lang::tr{'enter ack class'}
- <tr><td width='33%' align='right'>ACKs:<td width='33%' align='left'><select name='ACK'>
-END
-;
- for ( $c = 100 ; $c <= 120 ; $c++ )
- {
- if ( $qossettings{'ACK'} ne $c )
- { print "<option value='$c'>$c</option>\n"; }
- else { print "<option selected value='$c'>$c</option>\n"; }
- }
- print <<END
</select><td width='33%' align='center'><input type='submit' name='ACTION' value="$Lang::tr{'save'}" />
</table>
</form>
--
2.31.0
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH 5/6] QoS: Make outgoing packet processing use CONNMARK
2021-10-04 17:52 [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules Michael Tremer
` (2 preceding siblings ...)
2021-10-04 17:52 ` [PATCH 4/6] QoS: Drop support for hardcoded ACK rules Michael Tremer
@ 2021-10-04 17:52 ` Michael Tremer
2021-10-04 17:52 ` [PATCH 6/6] IPsec: Replace MARK 50 by 0x00800000 Michael Tremer
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tremer @ 2021-10-04 17:52 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3224 bytes --]
This will significantly reduce the load when classifying outgoing
traffic as there won't be any overhead as soon as the connection has
been classified. The classficiation is being stored in the iptables MARK
which will be copied to CONNMARK if changed.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/qos/makeqosscripts.pl | 30 +++++++++---------------------
1 file changed, 9 insertions(+), 21 deletions(-)
diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 230dc3265..b1bb637b3 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -217,7 +217,10 @@ print <<END
### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES
iptables -t mangle -N QOS-OUT
- iptables -t mangle -I POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+ iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+
+ # If the packet is already marked, then skip the processing
+ iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN
### Don't change mark on traffic for the ipsec tunnel
iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
@@ -250,7 +253,7 @@ print "\n\t### SET PORT-RULES\n";
$qossettings{'QPORT'} = $portruleline[4];
$qossettings{'DIP'} = $portruleline[5];
$qossettings{'DPORT'} = $portruleline[6];
- print "\tiptables -t mangle -A QOS-OUT ";
+ print "\tiptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK ";
if ($qossettings{'QIP'} ne ''){
print "-s $qossettings{'QIP'} ";
}
@@ -268,24 +271,6 @@ print "\n\t### SET PORT-RULES\n";
print "--dport $qossettings{'DPORT'} ";
}
print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
- print "\tiptables -t mangle -A QOS-OUT ";
- if ($qossettings{'QIP'} ne ''){
- print "-s $qossettings{'QIP'} ";
- }
- if ($qossettings{'DIP'} ne ''){
- print "-d $qossettings{'DIP'} ";
- }
- print "-p $qossettings{'PPROT'} ";
-# if (($qossettings{'QPORT'} ne '') || ($qossettings{'DPORT'} ne '')){
-# print "-m multiport ";
-# }
- if ($qossettings{'QPORT'} ne ''){
- print "--sport $qossettings{'QPORT'} ";
- }
- if ($qossettings{'DPORT'} ne ''){
- print "--dport $qossettings{'DPORT'} ";
- }
- print "-j RETURN\n\n";
}
}
@@ -328,6 +313,9 @@ print <<END
### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK
+ # Save mark in connection tracking
+ iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j CONNMARK --save-mark
+
###
### $qossettings{'IMQ_DEV'}
###
@@ -487,7 +475,7 @@ print <<END
iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK
# Save mark in connection tracking
- iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
+ iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
## STARTING COLLECTOR
/usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1
--
2.31.0
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH 6/6] IPsec: Replace MARK 50 by 0x00800000
2021-10-04 17:52 [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules Michael Tremer
` (3 preceding siblings ...)
2021-10-04 17:52 ` [PATCH 5/6] QoS: Make outgoing packet processing use CONNMARK Michael Tremer
@ 2021-10-04 17:52 ` Michael Tremer
4 siblings, 0 replies; 6+ messages in thread
From: Michael Tremer @ 2021-10-04 17:52 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5789 bytes --]
This change is necessary because we are using the right-hand two bytes
for storing the QoS classes.
All IPsec traffic will now be skipped and never classified by the QoS.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/qos/makeqosscripts.pl | 10 +++++-----
src/initscripts/system/firewall | 7 +++++--
src/patches/strongswan-ipfire.patch | 12 ++++++------
3 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index b1bb637b3..fc8b8b84f 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -61,6 +61,9 @@ my $QOS_INC_MASK = 0x0000ff00;
my $QOS_INC_SHIFT = 8;
my $QOS_OUT_MASK = 0x000000ff;
my $QOS_OUT_SHIFT = 0;
+my $IPSEC_MASK = 0x00800000;
+my $QOS_INC_SKIP_MASK = $QOS_INC_MASK | $IPSEC_MASK;
+my $QOS_OUT_SKIP_MASK = $QOS_OUT_MASK | $IPSEC_MASK;
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
@@ -220,10 +223,7 @@ print <<END
iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
# If the packet is already marked, then skip the processing
- iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN
-
- ### Don't change mark on traffic for the ipsec tunnel
- iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
+ iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_SKIP_MASK -j RETURN
### SET TOS
END
@@ -393,7 +393,7 @@ print <<END
iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -j QOS-INC
# If the packet is already marked, then skip the processing
- iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j RETURN
+ iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_SKIP_MASK -j RETURN
### SET TOS
END
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 7a7d52d57..ce428393d 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -14,6 +14,9 @@ fi
NAT_MASK="0x0f000000"
+IPSEC_MARK="0x00800000"
+IPSEC_MASK="${IPSEC_MARK}"
+
function iptables() {
/sbin/iptables --wait "$@"
}
@@ -376,8 +379,8 @@ iptables_red_up() {
iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
- # Outgoing masquerading (don't masqerade IPsec (mark 50))
- iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+ # Outgoing masquerading (don't masqerade IPsec)
+ iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN
if [ "${IFACE}" = "${GREEN_DEV}" ]; then
iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 7071983b8..17c40b025 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -42,7 +42,7 @@
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
#
# allow IPIP traffic because of the implicit SA created by the kernel if
# IPComp is used (for small inbound packets that are not compressed)
@@ -71,7 +71,7 @@
+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
#
# IPIP exception teardown
if [ -n "$PLUTO_IPCOMP" ]
@@ -97,7 +97,7 @@
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -117,7 +117,7 @@
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
fi
#
# allow IPIP traffic because of the implicit SA created by the kernel if
@@ -194,7 +194,7 @@
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
@@ -217,7 +217,7 @@
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
-+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
fi
#
# IPIP exception teardown
--
2.31.0
^ permalink raw reply [flat|nested] 6+ messages in thread