QoS: Make outgoing packet processing use CONNMARK

This will significantly reduce the load when classifying outgoing
traffic as there won't be any overhead as soon as the connection has
been classified. The classficiation is being stored in the iptables MARK
which will be copied to CONNMARK if changed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 230dc3265b8205c91606fa7fc554f71aa442fb8c..b1bb637b3574ed0816b4f4cc3775f00261e68090 100644 (file)
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -217,7 +217,10 @@ print <<END
 
        ### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES
        iptables -t mangle -N QOS-OUT
-       iptables -t mangle -I POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+       iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT
+
+       # If the packet is already marked, then skip the processing
+       iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN
 
        ### Don't change mark on traffic for the ipsec tunnel
        iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN
@@ -250,7 +253,7 @@ print "\n\t### SET PORT-RULES\n";
                        $qossettings{'QPORT'} = $portruleline[4];
                        $qossettings{'DIP'} = $portruleline[5];
                        $qossettings{'DPORT'} = $portruleline[6];
-                       print "\tiptables -t mangle -A QOS-OUT ";
+                       print "\tiptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK ";
                        if ($qossettings{'QIP'} ne ''){
                                print "-s $qossettings{'QIP'} ";
                        }
@@ -268,24 +271,6 @@ print "\n\t### SET PORT-RULES\n";
                                print "--dport $qossettings{'DPORT'} ";
                        }
                        print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n";
-                       print "\tiptables -t mangle -A QOS-OUT ";
-                       if ($qossettings{'QIP'} ne ''){
-                               print "-s $qossettings{'QIP'} ";
-                       }
-                       if ($qossettings{'DIP'} ne ''){
-                               print "-d $qossettings{'DIP'} ";
-                       }
-                       print "-p $qossettings{'PPROT'} ";
-#                      if (($qossettings{'QPORT'} ne '') || ($qossettings{'DPORT'} ne '')){
-#                              print "-m multiport ";
-#                      }
-                       if ($qossettings{'QPORT'} ne ''){
-                               print "--sport $qossettings{'QPORT'} ";
-                       }
-                       if ($qossettings{'DPORT'} ne ''){
-                               print "--dport $qossettings{'DPORT'} ";
-                       }
-                       print "-j RETURN\n\n";
                }
        }
 
@@ -328,6 +313,9 @@ print <<END
        ### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS
        iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK
 
+       # Save mark in connection tracking
+       iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j CONNMARK --save-mark
+
        ###
        ### $qossettings{'IMQ_DEV'}
        ###
@@ -487,7 +475,7 @@ print <<END
        iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK
 
        # Save mark in connection tracking
-       iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
+       iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark
 
        ## STARTING COLLECTOR
        /usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1