{ "mode": "man", "parameter": "tc-ctinfo", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-ctinfo/8/json", "generated": "2026-06-15T16:45:07Z", "synopsis": "tc ... action ctinfo [ dscp MASK [STATEMASK] ] [ cpmark [MASK] ] [ zone ZONE ] [ CONTROL ] [\nindex ]", "sections": { "NAME": { "content": "ctinfo - tc connmark processing action\n", "subsections": [] }, "SYNOPSIS": { "content": "tc ... action ctinfo [ dscp MASK [STATEMASK] ] [ cpmark [MASK] ] [ zone ZONE ] [ CONTROL ] [\nindex ]\n\n", "subsections": [] }, "DESCRIPTION": { "content": "CTINFO (Conntrack Information) is a tc action for retrieving data from conntrack marks into\nvarious fields. At present it has two independent processing modes which may be viewed as\nsub-functions.\n\nDSCP mode copies a DSCP stored in conntrack's connmark into the IPv4/v6 diffserv field. The\ncopying may conditionally occur based on a flag also stored in the connmark. DSCP mode was\ndesigned to assist in restoring packet classifications on ingress, classifications which may\nthen be used by qdiscs such as CAKE. It may be used in any circumstance where ingress clas‐\nsification needs to be maintained across links that otherwise bleach or remap according to\ntheir own policies.\n\nCPMARK (copymark) mode copies the conntrack connmark into the packet's mark field. Without\nadditional parameters it is functionally completely equivalent to the existing connmark ac‐\ntion. An optional mask may be specified to mask which bits of the connmark are restored.\nThis may be useful when DSCP and CPMARK modes are combined.\n\nSimple statistics (tc -s) on DSCP restores and CPMARK copies are maintained where values for\nset indicate a count of packets altered for that mode. DSCP includes an error count where\nthe destination packet's diffserv field was unwriteable.\n", "subsections": [] }, "PARAMETERS": { "content": "", "subsections": [ { "name": "DSCP mode parameters:", "content": "mask A mask of 6 contiguous bits indicating where the DSCP value is located in the 32 bit\nconntrack mark field. A mask must be provided for this mode. mask is a 32 bit un‐\nsigned value.\n\nstatemask\nA mask of at least 1 bit indicating where a conditional restore flag is located in the\n32 bit conntrack mark field. The statemask bit/s must NOT overlap the mask bits. The\nDSCP will be restored if the conntrack mark logically ANDed with the statemask yields\na non-zero result. statemask is an optional unsigned 32 bit value.\n" }, { "name": "CPMARK mode parameters:", "content": "mask Store the logically ANDed result of conntrack mark and mask into the packet's mark\nfield. Default is 0xffffffff i.e. the whole mark field. mask is an optional unsigned\n32 bit value\n" }, { "name": "Overall action parameters:", "content": "zone Specify the conntrack zone when doing conntrack lookups for packets. zone is a 16bit\nunsigned decimal value. Default is 0.\n\nCONTROL\nThe following keywords allow to control how the tree of qdisc, classes, filters and\nactions is further traversed after this action.\n\nreclassify\nRestart with the first filter in the current list.\n\npipe Continue with the next action attached to the same filter.\n\ndrop Drop the packet.\n\nshot synonym for drop\n\ncontinue\nContinue classification with the next filter in line.\n\npass Finish classification process and return to calling qdisc for further packet\nprocessing. This is the default.\n\nindex Specify an index for this action in order to being able to identify it in later com‐\nmands. index is a 32bit unsigned decimal value.\n" } ] }, "EXAMPLES": { "content": "Example showing conditional restoration of DSCP on ingress via an IFB\n\n#Set up the IFB interface\ntc qdisc add dev ifb4eth0 handle ffff: ingress\n\n#Put CAKE qdisc on it\ntc qdisc add dev ifb4eth0 root cake bandwidth 40mbit\n\n#Set interface UP\nip link set dev ifb4eth0 up\n\n#Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB\ntc filter add dev eth0 parent ffff: protocol all prio 10 u32 \\\nmatch u32 0 0 flowid 1:1 action \\\nctinfo dscp 0xfc000000 0x01000000 \\\nmirred egress redirect dev ifb4eth0\n\ntc -s qdisc show dev eth0 ingress\n\nfilter parent ffff: protocol all pref 10 u32 chain 0\nfilter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1\nfilter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 notinhw\nmatch 00000000/00000000 at 0\naction order 1: ctinfo zone 0 pipe\nindex 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0\nAction statistics:\nSent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)\nbacklog 0b 0p requeues 0\n\naction order 2: mirred (Egress Redirect to device ifb4eth0) stolen\nindex 1 ref 1 bind 1 installed 72 sec used 0 sec\nAction statistics:\nSent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)\nbacklog 0b 0p requeues 0\n\nExample showing conditional restoration of DSCP on egress\n\nThis may appear nonsensical since iptables marking of egress packets is easy to achieve, how‐\never the iptables flow classification rules may be extensive and so some sort of set once and\nforget may be useful especially on cpu constrained devices.\n\n# Send unmarked connections to a marking chain which needs to store a DSCP\nand set statemask bit in the connmark\niptables -t mangle -A POSTROUTING -o eth0 -m connmark \\\n--mark 0x00000000/0x01000000 -g CLASSMARKINGCHAIN\n\n# Apply marked DSCP to the packets\ntc filter add dev eth0 protocol all prio 10 u32 \\\nmatch u32 0 0 flowid 1:1 action \\\nctinfo dscp 0xfc000000 0x01000000\n\ntc -s filter show dev eth0\nfilter parent 800e: protocol all pref 10 u32 chain 0\nfilter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1\nfilter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 notinhw\nmatch 00000000/00000000 at 0\naction order 1: ctinfo zone 0 pipe\nindex 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0\nAction statistics:\nSent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0)\nbacklog 0b 0p requeues 0\n", "subsections": [] }, "SEE ALSO": { "content": "tc(8), tc-cake(8) tc-connmark(8) tc-mirred(8)\n", "subsections": [] }, "AUTHORS": { "content": "ctinfo was written by Kevin Darbyshire-Bryant.\n\n\n\niproute2 4 Jun 2019 ctinfo action in tc(8)", "subsections": [] } }, "summary": "ctinfo - tc connmark processing action", "flags": [], "examples": [ "Example showing conditional restoration of DSCP on ingress via an IFB", "#Set up the IFB interface", "tc qdisc add dev ifb4eth0 handle ffff: ingress", "#Put CAKE qdisc on it", "tc qdisc add dev ifb4eth0 root cake bandwidth 40mbit", "#Set interface UP", "ip link set dev ifb4eth0 up", "#Add 2 actions, ctinfo to restore dscp & mirred to redirect the packets to IFB", "tc filter add dev eth0 parent ffff: protocol all prio 10 u32 \\", "match u32 0 0 flowid 1:1 action \\", "ctinfo dscp 0xfc000000 0x01000000 \\", "mirred egress redirect dev ifb4eth0", "tc -s qdisc show dev eth0 ingress", "filter parent ffff: protocol all pref 10 u32 chain 0", "filter parent ffff: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1", "filter parent ffff: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 notinhw", "match 00000000/00000000 at 0", "action order 1: ctinfo zone 0 pipe", "index 2 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 72 sec used 0 sec DSCP set 1333 error 0 CPMARK set 0", "Action statistics:", "Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)", "backlog 0b 0p requeues 0", "action order 2: mirred (Egress Redirect to device ifb4eth0) stolen", "index 1 ref 1 bind 1 installed 72 sec used 0 sec", "Action statistics:", "Sent 658484 bytes 1833 pkt (dropped 0, overlimits 0 requeues 0)", "backlog 0b 0p requeues 0", "Example showing conditional restoration of DSCP on egress", "This may appear nonsensical since iptables marking of egress packets is easy to achieve, how‐", "ever the iptables flow classification rules may be extensive and so some sort of set once and", "forget may be useful especially on cpu constrained devices.", "# Send unmarked connections to a marking chain which needs to store a DSCP", "and set statemask bit in the connmark", "iptables -t mangle -A POSTROUTING -o eth0 -m connmark \\", "--mark 0x00000000/0x01000000 -g CLASSMARKINGCHAIN", "# Apply marked DSCP to the packets", "tc filter add dev eth0 protocol all prio 10 u32 \\", "match u32 0 0 flowid 1:1 action \\", "ctinfo dscp 0xfc000000 0x01000000", "tc -s filter show dev eth0", "filter parent 800e: protocol all pref 10 u32 chain 0", "filter parent 800e: protocol all pref 10 u32 chain 0 fh 800: ht divisor 1", "filter parent 800e: protocol all pref 10 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 notinhw", "match 00000000/00000000 at 0", "action order 1: ctinfo zone 0 pipe", "index 1 ref 1 bind 1 dscp 0xfc000000 0x01000000 installed 7414 sec used 0 sec DSCP set 53404 error 0 CPMARK set 0", "Action statistics:", "Sent 32890260 bytes 120441 pkt (dropped 0, overlimits 0 requeues 0)", "backlog 0b 0p requeues 0" ], "see_also": [ { "name": "tc", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc/8/json" }, { "name": "tc-cake", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-cake/8/json" }, { "name": "tc-connmark", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-connmark/8/json" }, { "name": "tc-mirred", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-mirred/8/json" } ] }