Support marking/matching tc_index in netfilter and connection tracking

[Luuk Paulussen <Luuk.Paulussen@xxxxxxxxxxxxxxxxxxx>]

Hi All,

I recently posted a patch/proposal to the netfilter-devel mailing list 
to add match/mark capability to netfilter for the tc_index field in the 
skb and to add it in the connection tracking.  The reason behind this is 
that the space in the skb->mark/connmark field is limited, and being 
able to mark elsewhere for tc purposes would take some of the pressure off.

The key goals are as follows:
1. Additional space for marking
2. Don't increase size of skb
3. Be able to restore mark (tc_index) from connection after first packet 
to speed up processing. (the first packet in each direction in a 
connection would be processed by all rules and then the assigned 
tc_index mark would be saved to connection, allowing all other packets 
in the flow to simply restore the mark and continue without processing 
all rules)
4. Be able to use hierarchical class based qdiscs (i.e. cls_flow isn't 
sufficient)

The full discussion so far is at the link below:
http://www.spinics.net/lists/netfilter-devel/msg39746.html

This marking of tc_index from xtables would be an alternative to using 
ingress, GRED or dsmark schedulers to set the tc_index parameter.

I am reposting this here, as I would like to get feedback from a tc 
point of view around this idea.

Can anybody see any reasons why this wouldn't work or other barriers to 
implementing this?  Ideas for alternatives would also be useful. One of 
the key goals is that we want to avoid doing full processing of all 
rules for every packet.

Kind regards,
Luuk��.n��������+%������w��{.n����j�\�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥