diff mbox series

[5/6] QoS: Make outgoing packet processing use CONNMARK

Message ID 20211004175222.9208-5-michael.tremer@ipfire.org
State Accepted
Commit f857c5c63040664414dc07838052155305136c5a
Headers
Series [1/6] firewall: Only check relevant bits for NAT fix rules |

Commit Message

Michael Tremer Oct. 4, 2021, 5:52 p.m. UTC 
  This will significantly reduce the load when classifying outgoing
traffic as there won't be any overhead as soon as the connection has
been classified. The classficiation is being stored in the iptables MARK
which will be copied to CONNMARK if changed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/qos/makeqosscripts.pl | 30 +++++++++---------------------
 1 file changed, 9 insertions(+), 21 deletions(-)
diff mbox series

Patch

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 230dc3265..b1bb637b3 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -217,7 +217,10 @@  print <<END
 
 	### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES
 	iptables -t mangle -N QOS-OUT
-	iptables -t mangle -I POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+	iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+
+	# If the packet is already marked, then skip the processing
+	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN
 
 	### Don't change mark on traffic for the ipsec tunnel
 	iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
@@ -250,7 +253,7 @@  print "\n\t### SET PORT-RULES\n";
 			$qossettings{'QPORT'} = $portruleline[4];
 			$qossettings{'DIP'} = $portruleline[5];
 			$qossettings{'DPORT'} = $portruleline[6];
-			print "\tiptables -t mangle -A QOS-OUT ";
+			print "\tiptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK ";
 			if ($qossettings{'QIP'} ne ''){
 				print "-s $qossettings{'QIP'} ";
 			}
@@ -268,24 +271,6 @@  print "\n\t### SET PORT-RULES\n";
 				print "--dport $qossettings{'DPORT'} ";
 			}
 			print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
-			print "\tiptables -t mangle -A QOS-OUT ";
-			if ($qossettings{'QIP'} ne ''){
-				print "-s $qossettings{'QIP'} ";
-			}
-			if ($qossettings{'DIP'} ne ''){
-				print "-d $qossettings{'DIP'} ";
-			}
-			print "-p $qossettings{'PPROT'} ";
-#			if (($qossettings{'QPORT'} ne '') || ($qossettings{'DPORT'} ne '')){
-#				print "-m multiport ";
-#			}
-			if ($qossettings{'QPORT'} ne ''){
-				print "--sport $qossettings{'QPORT'} ";
-			}
-			if ($qossettings{'DPORT'} ne ''){
-				print "--dport $qossettings{'DPORT'} ";
-			}
-			print "-j RETURN\n\n";
 		}
 	}
 
@@ -328,6 +313,9 @@  print <<END
 	### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
 	iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK
 
+	# Save mark in connection tracking
+	iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j CONNMARK --save-mark
+
 	###
 	### $qossettings{'IMQ_DEV'}
 	###
@@ -487,7 +475,7 @@  print <<END
 	iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK
 
 	# Save mark in connection tracking
-	iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
+	iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
 
 	## STARTING COLLECTOR
 	/usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1