@fta many thanks for this. Are you sure about the goto's though? Because classify-dscp is itself within the context of a jump:
chain classify-and-store-dscp {
jump classify-dscp
jump store-dscp-in-conntrack
}
jump classify-dscp will return and process store-dscp-in-conntrack, right? The goto within classify-dscp doesn't prevent the jump classify-dscp from returning and processing store-dscp-in-conntrack?
After all, I'm seeing correct restorations on e.g. DNS over TLS on ingress:
19:03:25.639634 IP (tos 0x80, ttl 54, id 55644, offset 0, flags [DF], proto TCP (6), length 1360)
1.0.0.3.853 > 192.168.0.2.56038: Flags [P.], cksum 0xc6ef (incorrect -> 0xbdaa), seq 1309:2617, ack 292, win 8, opti
This seems super cool and only classifying and setting once, per new connection seems a great idea. @fta, @moeller0 or @dave14305 if I'm honest I forget why the conditional check was even there in the first place. Can either of you remind me?
This post from @ldir is relevant:
But now that I think about it, why was the conditional restore necessary? Why not just always restore?
statemask
A mask of at least 1 bit indicating where a conditional
restore flag is located in the 32 bit conntrack mark
field. The statemask bit/s must NOT overlap the mask
bits. The DSCP will be restored if the conntrack mark
logically ANDed with the statemask yields a non-zero
result. statemask is an optional unsigned 32 bit value.