As a point of order 'act_ctinfo' is a tc action not a q(ueuing)disc(ipline)
A typical usage for an IFB redirect ingress scenario is something like
# tc filter show dev eth0 ingress filter parent ffff: protocol all pref 49152 matchall chain 0 filter parent ffff: protocol all pref 49152 matchall chain 0 handle 0x1 not_in_hw action order 1: ctinfo zone 0 pipe index 2 ref 1 bind 1 dscp 0x0000003f 0x00000800 action order 2: mirred (Egress Redirect to device ifb4eth0) stolen index 1 ref 1 bind 1
The 1st action is 'ctinfo' where we hope to find that the conntrack firewall entry has a DSCP stored for this connection in the conntrack MARK field and if so, set that stored DSCP value into the current packet.
The 2nd action is 'mirred' (mirror/redirect) where we redirect this packet to the ingress port of another interface, in this case 'ifb4eth0'
iptables is typically used to copy the DSCP from an existing (usually egress) packet into the conntrack firewall MARK - openwrt's iptables has a patched CONNMARK module which understands '--set-dscpmark' which copies the DSCP field into connmark and sets a flag.
classification rules here - put the desired DSCP into the packet iptables -t mangle -A MANGLE_CHAIN_HERE -j CONNMARK --set-dscpmark 0x3f/0x800
Most of the time you only need to set the DSCP on connection startup, so if you're clever with iptables rules and the DSCP_IS_STORED flag you can save yourself going through the classification decisions for every packet - sort of set and forget.
To set a decided DSCP on egress (to wan) you need something like
# tc filter show dev eth0 filter parent 8011: protocol all pref 49152 matchall chain 0 filter parent 8011: protocol all pref 49152 matchall chain 0 handle 0x1 not_in_hw action order 1: ctinfo zone 0 pipe index 1 ref 1 bind 1 dscp 0x0000003f 0x00000800
I should add that at present nftables does not have equivalent functionality of --set-dscpmark. You should cheer on Jeremy Sowden's efforts to enhance nftables to do so here https://marc.info/?l=netfilter-devel&m=164907445630634&w=2
Not to be too down on nftables, I was wondering why my old raspberry pi was running openwrt with fw4 and I'd forgotten I had been experimenting with how far I could get. It would be nice if you could do something as simple as "nft add rule t c ct mark set ip dscp" or even better "nft add rule t c ct mark set ct mark and 0xffffff00 or ip dscp" and it not throw a syntax error. You can get close with "meta nfproto ipv4 ct mark set @nh,8,6" and "meta nfproto ipv6 ct mark set @nh,4,6" but they both destroy the existing mark value rather than nicely masking themselves in - that's why Jeremy's work is so useful. I had sort of given up / got occupied with work but I'll see if I can work around the limitation.