QOSMate / Cake w/ DSCPs

I’m using a BT Home Hub 5A as the OpenWRT router and a Billion 8800 NL R2 in half bridge modem mode which handles the PPPoE connection aswell DHCP, and I want to write DSCP markings into conntrack and restore them on ingress. I’m already encountering issues with writing DSCP markings into conntrack.

I’m using the following rules (chain in the forward hook):

nft add rule inet dscptag dscptag ct mark set ip dscp or 128 counter

Unfortunately, the rules either aren’t being written into conntrack or aren’t being written correctly.

image

meta nfproto 0 ct mark set @nh,8,8 & 0xfc [invalid type] | 0x80 counter packets 0 bytes 0
                meta nfproto 0 ct mark set @nh,0,16 & 0xfc0 [invalid type] | 0x80 counter packets 0 bytes 0
        }
}

I'm a newbie so it would appreciate if someone could help me out with this issue or walk through with me on this issue :slight_smile: .

DSCP remain unchanged at CS0 when pinging 1.1.1.1 -t and checking connections tab although I have assigned it to CS5.

Most of your rules are not enabled in the screenshot, and no icmp traffic is visible in the connection list. How testing confirming the behavior?

Ignore the display of the ct mark rules. I think it is cosmetic only, fixed in nftables v1.0.9.

Ahhh apologies, the screenshot was just to illustrate the software to you. However, when I do ping 1.1.1.1 -t its shows as cs0. I can show you once I’m home in like 10mins

To verify if the rule is being generated correctly internally, please run:

nft -c -d netlink add rule inet dscptag dscptag ct mark set ip dscp or 128 counter
nft -c -d netlink add rule inet dscptag dscptag ct mark set ip6 dscp or 128 counter

nft -c -d netlink add rule inet dscptag dscptag meta nfproto ipv4 ct mark set ip dscp or 128 counter
nft -c -d netlink add rule inet dscptag dscptag meta nfproto ipv6 ct mark set ip6 dscp or 128 counter

And post the output.

root@OpenWrt:~# nft -c -d netlink add rule inet dscptag dscptag ct mark set ip dscp or 128 counter
inet dscptag dscptag
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x02000000 ]
  [ payload load 1b @ network header + 1 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0xfc000000 ) ^ 0x00000000 ]
  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
  [ bitwise reg 1 = ( reg 1 & 0xffffff7f ) ^ 0x00000080 ]
  [ ct set mark with reg 1 ]
  [ counter pkts 0 bytes 0 ]

root@OpenWrt:~# nft -c -d netlink add rule inet dscptag dscptag ct mark set ip6 dscp or 128 counter
inet dscptag dscptag
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0a000000 ]
  [ payload load 2b @ network header + 0 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x0fc00000 ) ^ 0x00000000 ]
  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
  [ bitwise reg 1 = ( reg 1 & 0xffffff7f ) ^ 0x00000080 ]
  [ ct set mark with reg 1 ]
  [ counter pkts 0 bytes 0 ]

There’s definitely some byte order problem with the nfproto (second line). Here’s what my output looks like for the first rule:

root@router:~# nft -c -d netlink add rule inet fw4 forward ct mark set ip dscp or 128 counter
inet fw4 forward
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x00000002 ]
  [ payload load 1b @ network header + 1 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
  [ bitwise reg 1 = ( reg 1 & 0xffffff7f ) ^ 0x00000080 ]
  [ ct set mark with reg 1 ]
  [ counter pkts 0 bytes 0 ]

root@router:~# nft -c -d netlink add rule inet fw4 forward ct mark set ip6 dscp or 128 counter
inet fw4 forward
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0000000a ]
  [ payload load 2b @ network header + 0 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
  [ bitwise reg 1 = ( reg 1 & 0xffffff7f ) ^ 0x00000080 ]
  [ ct set mark with reg 1 ]
  [ counter pkts 0 bytes 0 ]

This is on an x86 target running 23.05.5.

Ah, yh I see. Is it something that can be fixed?

Do you get the same output if you explicitly add the nfproto?

nft -c -d netlink add rule inet dscptag dscptag meta nfproto ipv4 ct mark set ip dscp or 128 counter
nft -c -d netlink add rule inet dscptag dscptag meta nfproto ipv6 ct mark set ip6 dscp or 128 counter
root@OpenWrt:~# nft -c -d netlink add rule inet dscptag dscptag meta nfproto ipv4 ct mark set ip dscp or 128 counter
inet dscptag dscptag
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x02000000 ]
  [ payload load 1b @ network header + 1 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0xfc000000 ) ^ 0x00000000 ]
  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
  [ bitwise reg 1 = ( reg 1 & 0xffffff7f ) ^ 0x00000080 ]
  [ ct set mark with reg 1 ]
  [ counter pkts 0 bytes 0 ]

root@OpenWrt:~# nft -c -d netlink add rule inet dscptag dscptag meta nfproto ipv6 ct mark set ip6 dscp or 128 counter
inet dscptag dscptag
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0a000000 ]
  [ payload load 2b @ network header + 0 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x0fc00000 ) ^ 0x00000000 ]
  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
  [ bitwise reg 1 = ( reg 1 & 0xffffff7f ) ^ 0x00000080 ]
  [ ct set mark with reg 1 ]
  [ counter pkts 0 bytes 0 ]

Looks the exact same to me