> On 22 Mar 2019, at 21:24, Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> wrote:
> 
> It looks like act_conndscp has been shot down by the kernel people, at least in its current form.  Setting a conntrack mark from tc is regarded as “not sure if it is a good idea”.  The other way (conntrack to skb) is fine.  That’s sort of good news in that ingress is the hard bit as it’s problematic with iptables.
> 
> egress is within iptables coverage - ‘just’ need a way to store a DSCP & flag to conntrack mark.

Never give in, never surrender.

Hacked together an iptables connmark extension that saves the DSCP (and optional status bit/s) to the conntrack mark ready for the ’set’ part of the tc conndscp action.  So we have the two parts of the operation happening across two different subsystems (iptables for the DSCP->connmark - tc action for the connmark -> DSCP)

Two patches - one kernel space and possibly tolerable.  One user space which is an iptables copy&paste abomination but it *does* work on my openwrt router.

And yet another version of ‘my_layer_cake’ showing how I use it.


Cheers,

Kevin D-B

gpg: 012C ACB2 28C6 C53E 9775  9123 B3A2 389B 9DE2 334A