RFC: promote netfilter MARK value from IPv6 packets to sit packets

RFC: promote netfilter MARK value from IPv6 packets to sit packets

[Erik Hensema]

Hi,

I'm new to the list, so be gentle with your flames ;-)

On my outgoing connection to the internet I provide QoS using ratelimiting
and prioritizing packets. However, it's a cablemodem and my provider only
speaks IPv4. Over the connections I run multiple IPv6 tunnels, and I want
to provide QoS on these tunnels too.

QoS however can only be provided on the physical outgoing interface. On
that level, I can only see IPv4 packets and therefore it's impossible to
provide QoS on IPv6 for me.

In order to be able to provide QoS on tunneled IPv6 connections, I've
created a simple patch (definately not ready for inclusion in the kernel,
since it surely needs a configuration option) which promotes the netfilter
MARK value from the IPv6 packets to the sit packets.
Now I can mark packets using ip6tables, and on the ipv4 level I can still
differentiate between the priorities. Problem solved, I'm happy ;-)

Below is the patch, created on Linux 2.4.19:


--- net/ipv6/sit.c.orig	Mon Feb 17 15:30:41 2003
+++ net/ipv6/sit.c	Mon Feb 17 15:29:40 2003
@@ -571,6 +571,9 @@
 		}
 		if (skb->sk)
 			skb_set_owner_w(new_skb, skb->sk);
+#ifdef CONFIG_NETFILTER
+		new_skb->nfmark = skb->nfmark;
+#endif
 		dev_kfree_skb(skb);
 		skb = new_skb;
 	}

-- 
Erik Hensema (erik@hensema.net)

Re: RFC: promote netfilter MARK value from IPv6 packets to sit packets

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1181 bytes --]

On Mon, Feb 17, 2003 at 03:57:27PM +0100, Erik Hensema wrote:

> In order to be able to provide QoS on tunneled IPv6 connections, I've
> created a simple patch (definately not ready for inclusion in the kernel,
> since it surely needs a configuration option) which promotes the netfilter
> MARK value from the IPv6 packets to the sit packets.
> Now I can mark packets using ip6tables, and on the ipv4 level I can still
> differentiate between the priorities. Problem solved, I'm happy ;-)

I like this patch.  I think we should make it a kernel configuration
option, but for all kind of tunnel interfaces.  Something like
'propagate NFMARK while tunneling' (or maybe 'preserve' instead of
'propagate' is better language?)

DaveM: Would this be acceptable?

> Erik Hensema (erik@hensema.net)

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: RFC: promote netfilter MARK value from IPv6 packets to sit packets

[Erik Hensema]

On Sun, Feb 23, 2003 at 08:33:39PM +0100, Harald Welte wrote:
> On Mon, Feb 17, 2003 at 03:57:27PM +0100, Erik Hensema wrote:
> 
> > In order to be able to provide QoS on tunneled IPv6 connections, I've
> > created a simple patch (definately not ready for inclusion in the kernel,
> > since it surely needs a configuration option) which promotes the netfilter
> > MARK value from the IPv6 packets to the sit packets.
> > Now I can mark packets using ip6tables, and on the ipv4 level I can still
> > differentiate between the priorities. Problem solved, I'm happy ;-)
> 
> I like this patch.  I think we should make it a kernel configuration
> option, but for all kind of tunnel interfaces.  Something like
> 'propagate NFMARK while tunneling' (or maybe 'preserve' instead of
> 'propagate' is better language?)

It certainly should be configurable. I've already sent it to the list, but
you can also download it from
http://dexter.hensema.net/~erik/patches/sit-promote-mark-2.4.21-pre4.diff

It should be easy to port this patch to gre and maybe ipip (don't know the
code of the latter, but I assume it's similar to gre and sit). I'll work on
that tomorrow, when I've got access to my development machine again.

In my current patch the configuration option is called 'IPv6: Promote
netfilter MARK value to sit packets'.
I don't think we should call it 'preserve', because technically that's not
what is happening. The tunnel interface creates a fresh new packet, with a
fresh new nfmark. Propagate seems to be the right term to me (as a
non-native english speaker).

-- 
Erik Hensema (erik@hensema.net)

Re: RFC: promote netfilter MARK value from IPv6 packets to sit packets

[jamal]

If this is to be a config option, it should not be restricted to
netfilter specifics but rather skb specifics. Example the tcindex
(maybe even the cb) etc.

cheers,
jamal

Re: RFC: promote netfilter MARK value from IPv6 packets to sit packets

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 782 bytes --]

On Mon, Feb 24, 2003 at 08:41:10AM -0500, jamal wrote:
> If this is to be a config option, it should not be restricted to
> netfilter specifics but rather skb specifics. Example the tcindex
> (maybe even the cb) etc.

No problem with me.  I do understand the usefulness of tcindex, but what
would a totally different protcol (or the user) do with the cb of a
different protocol?

> cheers,
> jamal

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: RFC: promote netfilter MARK value from IPv6 packets to sit packets

[jamal]

On Mon, 24 Feb 2003, Harald Welte wrote:

> On Mon, Feb 24, 2003 at 08:41:10AM -0500, jamal wrote:
> > If this is to be a config option, it should not be restricted to
> > netfilter specifics but rather skb specifics. Example the tcindex
> > (maybe even the cb) etc.
>
> No problem with me.  I do understand the usefulness of tcindex, but what
> would a totally different protcol (or the user) do with the cb of a
> different protocol?
>

cb is a maybe - it could be useful i think since the inner and outer
headers may be closely related and so share the same state.
I gacve tcindex as an example; others are: priority and some of the
other netfilter stuff (is nfcache still used?) etc.

cheers,
jamal