diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf index 5660165..f8fd0af 100644 --- a/etc/nftables/nftables-ns1.conf +++ b/etc/nftables/nftables-ns1.conf @@ -20,6 +20,40 @@ table inet filter { 2001:19f0:1000:c0d4:5400:05ff:fec1:7c21, # nyc.ns1.grapheneos.org } + define priority-besteffort = 0 + define priority-bulk = 2 + define priority-interactive-bulk = 4 + define priority-interactive = 6 + + # based on CAKE diffserv4 + map dscp-to-priority { + typeof ip dscp : meta priority + elements = { + cs1 : $priority-bulk, + lephb : $priority-bulk, + af11 : $priority-besteffort, + af12 : $priority-besteffort, + af13 : $priority-besteffort, + cs2 : $priority-interactive-bulk, + cs3 : $priority-interactive-bulk, + cs4 : $priority-interactive-bulk, + af21 : $priority-interactive-bulk, + af22 : $priority-interactive-bulk, + af23 : $priority-interactive-bulk, + af31 : $priority-interactive-bulk, + af32 : $priority-interactive-bulk, + af33 : $priority-interactive-bulk, + af41 : $priority-interactive-bulk, + af42 : $priority-interactive-bulk, + af43 : $priority-interactive-bulk, + cs5 : $priority-interactive, + cs6 : $priority-interactive, + cs7 : $priority-interactive, + ef : $priority-interactive, + va : $priority-interactive, + } + } + set ip-connlimit-ssh { type ipv4_addr flags dynamic @@ -130,6 +164,11 @@ table inet filter { oif lo goto output-raw-loopback skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject udp sport $udp-ports notrack accept + + # translate DSCP to priority for fq bands + meta priority set ip dscp map @dscp-to-priority + meta priority set ip6 dscp map @dscp-to-priority + meta l4proto { icmp, ipv6-icmp } notrack accept }