mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-11-25 17:16:17 -05:00
nftables: ns1: add fq priority configuration
This commit is contained in:
Daniel Micay
parent
5256f2e4a4
commit
5b82f11b25
1 changed files with 39 additions and 0 deletions
|
|
@ -20,6 +20,40 @@ table inet filter {
|
||||||
2001:19f0:1000:c0d4:5400:05ff:fec1:7c21, # nyc.ns1.grapheneos.org
|
2001:19f0:1000:c0d4:5400:05ff:fec1:7c21, # nyc.ns1.grapheneos.org
|
||||||
}
|
}
|
||||||
|
|
||||||
|
define priority-besteffort = 0
|
||||||
|
define priority-bulk = 2
|
||||||
|
define priority-interactive-bulk = 4
|
||||||
|
define priority-interactive = 6
|
||||||
|
|
||||||
|
# based on CAKE diffserv4
|
||||||
|
map dscp-to-priority {
|
||||||
|
typeof ip dscp : meta priority
|
||||||
|
elements = {
|
||||||
|
cs1 : $priority-bulk,
|
||||||
|
lephb : $priority-bulk,
|
||||||
|
af11 : $priority-besteffort,
|
||||||
|
af12 : $priority-besteffort,
|
||||||
|
af13 : $priority-besteffort,
|
||||||
|
cs2 : $priority-interactive-bulk,
|
||||||
|
cs3 : $priority-interactive-bulk,
|
||||||
|
cs4 : $priority-interactive-bulk,
|
||||||
|
af21 : $priority-interactive-bulk,
|
||||||
|
af22 : $priority-interactive-bulk,
|
||||||
|
af23 : $priority-interactive-bulk,
|
||||||
|
af31 : $priority-interactive-bulk,
|
||||||
|
af32 : $priority-interactive-bulk,
|
||||||
|
af33 : $priority-interactive-bulk,
|
||||||
|
af41 : $priority-interactive-bulk,
|
||||||
|
af42 : $priority-interactive-bulk,
|
||||||
|
af43 : $priority-interactive-bulk,
|
||||||
|
cs5 : $priority-interactive,
|
||||||
|
cs6 : $priority-interactive,
|
||||||
|
cs7 : $priority-interactive,
|
||||||
|
ef : $priority-interactive,
|
||||||
|
va : $priority-interactive,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
set ip-connlimit-ssh {
|
set ip-connlimit-ssh {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags dynamic
|
flags dynamic
|
||||||
|
|
@ -130,6 +164,11 @@ table inet filter {
|
||||||
oif lo goto output-raw-loopback
|
oif lo goto output-raw-loopback
|
||||||
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject
|
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject
|
||||||
udp sport $udp-ports notrack accept
|
udp sport $udp-ports notrack accept
|
||||||
|
|
||||||
|
# translate DSCP to priority for fq bands
|
||||||
|
meta priority set ip dscp map @dscp-to-priority
|
||||||
|
meta priority set ip6 dscp map @dscp-to-priority
|
||||||
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue