From 41174c2a088d495817f42b5a0a7a45f50211428c Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Fri, 29 Aug 2025 11:27:31 -0400
Subject: [PATCH] clean inbound DSCP

This avoids setting outbound DSCP for echo-reply, TCP RST for TCP
sockets in the Time-Wait state and potentially other cases. We don't
want it to be possible for inbound packets to determine our outbound
traffic classification even to a small extent.
---
 etc/nftables/nftables-attestation.conf | 3 +++
 etc/nftables/nftables-discuss.conf     | 3 +++
 etc/nftables/nftables-mail.conf        | 3 +++
 etc/nftables/nftables-matrix.conf      | 3 +++
 etc/nftables/nftables-network.conf     | 3 +++
 etc/nftables/nftables-ns1.conf         | 3 +++
 etc/nftables/nftables-ns2.conf         | 3 +++
 etc/nftables/nftables-social.conf      | 3 +++
 etc/nftables/nftables-web.conf         | 3 +++
 9 files changed, 27 insertions(+)

diff --git a/etc/nftables/nftables-attestation.conf b/etc/nftables/nftables-attestation.conf
index c299326..92f0349 100644
--- a/etc/nftables/nftables-attestation.conf
+++ b/etc/nftables/nftables-attestation.conf
@@ -57,6 +57,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 80, 443 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-discuss.conf b/etc/nftables/nftables-discuss.conf
index fb37815..e48a542 100644
--- a/etc/nftables/nftables-discuss.conf
+++ b/etc/nftables/nftables-discuss.conf
@@ -60,6 +60,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 80, 443 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-mail.conf b/etc/nftables/nftables-mail.conf
index f342ba3..822bfa8 100644
--- a/etc/nftables/nftables-mail.conf
+++ b/etc/nftables/nftables-mail.conf
@@ -69,6 +69,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-matrix.conf b/etc/nftables/nftables-matrix.conf
index 711c6e2..a28a8fd 100644
--- a/etc/nftables/nftables-matrix.conf
+++ b/etc/nftables/nftables-matrix.conf
@@ -57,6 +57,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 80, 443 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf
index 466a63b..28b5e01 100644
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@@ -61,6 +61,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index 35bd39e..5b789cc 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -67,6 +67,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf
index 4bfdc0e..ab72fb0 100644
--- a/etc/nftables/nftables-ns2.conf
+++ b/etc/nftables/nftables-ns2.conf
@@ -65,6 +65,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-social.conf b/etc/nftables/nftables-social.conf
index d6d7615..4d00b5a 100644
--- a/etc/nftables/nftables-social.conf
+++ b/etc/nftables/nftables-social.conf
@@ -57,6 +57,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 80, 443 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
diff --git a/etc/nftables/nftables-web.conf b/etc/nftables/nftables-web.conf
index 909e8ca..32a8cfd 100644
--- a/etc/nftables/nftables-web.conf
+++ b/etc/nftables/nftables-web.conf
@@ -61,6 +61,9 @@ table inet filter {
         type filter hook input priority filter
         policy drop
 
+        ip dscp set cs0
+        ip6 dscp set cs0
+
         tcp dport { 22, 80, 443 } goto input-tcp-service
         ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }