nftables: ns1: add fq priority configuration

2025-11-24 08:43:11 -05:00 · 2025-11-10 06:40:03 -05:00 · 2025-11-10 06:40:03 -05:00 · 5b82f11b25
commit 5b82f11b25
parent 5256f2e4a4
1 changed files with 39 additions and 0 deletions
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@ -20,6 +20,40 @@ table inet filter {
        2001:19f0:1000:c0d4:5400:05ff:fec1:7c21, # nyc.ns1.grapheneos.org
    }

+    define priority-besteffort = 0
+    define priority-bulk = 2
+    define priority-interactive-bulk = 4
+    define priority-interactive = 6
+
+    # based on CAKE diffserv4
+    map dscp-to-priority {
+        typeof ip dscp : meta priority
+        elements = {
+            cs1 : $priority-bulk,
+            lephb : $priority-bulk,
+            af11 : $priority-besteffort,
+            af12 : $priority-besteffort,
+            af13 : $priority-besteffort,
+            cs2 : $priority-interactive-bulk,
+            cs3 : $priority-interactive-bulk,
+            cs4 : $priority-interactive-bulk,
+            af21 : $priority-interactive-bulk,
+            af22 : $priority-interactive-bulk,
+            af23 : $priority-interactive-bulk,
+            af31 : $priority-interactive-bulk,
+            af32 : $priority-interactive-bulk,
+            af33 : $priority-interactive-bulk,
+            af41 : $priority-interactive-bulk,
+            af42 : $priority-interactive-bulk,
+            af43 : $priority-interactive-bulk,
+            cs5 : $priority-interactive,
+            cs6 : $priority-interactive,
+            cs7 : $priority-interactive,
+            ef : $priority-interactive,
+            va : $priority-interactive,
+        }
+    }
+
    set ip-connlimit-ssh {
        type ipv4_addr
        flags dynamic
@ -130,6 +164,11 @@ table inet filter {
        oif lo goto output-raw-loopback
        skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject
        udp sport $udp-ports notrack accept
+
+        # translate DSCP to priority for fq bands
+        meta priority set ip dscp map @dscp-to-priority
+        meta priority set ip6 dscp map @dscp-to-priority
+
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }