[LARTC] [Patch 2.4.21-pre4]: promote netfilter MARK value to sit packets

[Erik Hensema <erik@xxxxxxxxxxx>]

The attached patch enables the kernel to copy the netfilter MARK values
from IPv6 packets to sit (IPv6-in-IPv4 tunnel) packets. It enables you to
provide QoS on tunneled IPv6 packets.

I haven't yet completed my scripts yet, but I'll post a link to the list as
soon as it's ready for testing.

For now, you can use something like this:

ip6tables -t mangle -A POSTROUTING -o sitX <rules here> -j MARK --set-mark <mark>

and on your real outgoing interface to your provider:

tc filter add dev <DEV> parent 1:0 protocol ip handle <mark> fw classid <class>
or:
iptables [...] -p ipv6 -m mark --mark <mark> [...]

Please note that this could interfere with existing firewall rules.

Please help me test this before I submit it to the linux kernel mailing
list for inclusion in the mainstream kernel.
-- 
Erik Hensema (erik@xxxxxxxxxxx)

diff -ur linux-2.4.21-pre4/Documentation/Configure.help linux-2.4.21-pre4.patched/Documentation/Configure.help
--- linux-2.4.21-pre4/Documentation/Configure.help	Tue Feb 18 12:54:18 2003
+++ linux-2.4.21-pre4.patched/Documentation/Configure.help	Tue Feb 18 12:52:16 2003
@@ -5627,6 +5627,18 @@
 
   It is safe to say N here for now.
 
+IPv6: Promote netfilter MARK value to sit packets
+CONFIG_IPV6_SIT_PROMOTE_MARK
+  If you use IPv6-in-IPv4 tunnels, you can use this option to mark
+  packets using ip6tables, and then match the sit (tunnel) packets
+  using iptables on the IPv4 level, or a tc fw match on the physical
+  outgoing interface.
+
+  You need this if you want to provide QoS on a tunnelled IPv6
+  connection.
+
+  If unsure, say N.
+
 Kernel httpd acceleration
 CONFIG_KHTTPD
   The kernel httpd acceleration daemon (kHTTPd) is a (limited) web
diff -ur linux-2.4.21-pre4/net/ipv6/Config.in linux-2.4.21-pre4.patched/net/ipv6/Config.in
--- linux-2.4.21-pre4/net/ipv6/Config.in	Fri Dec 21 18:42:05 2001
+++ linux-2.4.21-pre4.patched/net/ipv6/Config.in	Tue Feb 18 12:48:50 2003
@@ -7,4 +7,8 @@
 
 if [ "$CONFIG_NETFILTER" != "n" ]; then
    source net/ipv6/netfilter/Config.in
+
+   if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ] ; then
+      bool '  IPv6: Promote netfilter MARK value to sit packets' CONFIG_IPV6_SIT_PROMOTE_MARK
+   fi
 fi
diff -ur linux-2.4.21-pre4/net/ipv6/sit.c linux-2.4.21-pre4.patched/net/ipv6/sit.c
--- linux-2.4.21-pre4/net/ipv6/sit.c	Fri Nov 29 00:53:15 2002
+++ linux-2.4.21-pre4.patched/net/ipv6/sit.c	Tue Feb 18 12:48:23 2003
@@ -571,6 +571,9 @@
 		}
 		if (skb->sk)
 			skb_set_owner_w(new_skb, skb->sk);
+#ifdef CONFIG_IPV6_SIT_PROMOTE_MARK
+		new_skb->nfmark = skb->nfmark;
+#endif
 		dev_kfree_skb(skb);
 		skb = new_skb;
 	}