diff --git a/etc/nftables/nftables-releases.conf b/etc/nftables/nftables-releases.conf index 9fdcc90..1b19725 100644 --- a/etc/nftables/nftables-releases.conf +++ b/etc/nftables/nftables-releases.conf @@ -13,32 +13,37 @@ table inet filter { 2a14:3f87:6920:250::100, # 0.releases.grapheneos.org } + define priority-besteffort = 0 + define priority-bulk = 2 + define priority-interactive-bulk = 4 + define priority-interactive = 6 + # based on CAKE diffserv4 map dscp-to-priority { typeof ip dscp : meta priority elements = { - cs1 : 2, - lephb : 2, - af11 : 0, - af12 : 0, - af13 : 0, - cs2 : 4, - cs3 : 4, - cs4 : 4, - af21 : 4, - af22 : 4, - af23 : 4, - af31 : 4, - af32 : 4, - af33 : 4, - af41 : 4, - af42 : 4, - af43 : 4, - cs5 : 6, - cs6 : 6, - cs7 : 6, - ef : 6, - va : 6, + cs1 : $priority-bulk, + lephb : $priority-bulk, + af11 : $priority-besteffort, + af12 : $priority-besteffort, + af13 : $priority-besteffort, + cs2 : $priority-interactive-bulk, + cs3 : $priority-interactive-bulk, + cs4 : $priority-interactive-bulk, + af21 : $priority-interactive-bulk, + af22 : $priority-interactive-bulk, + af23 : $priority-interactive-bulk, + af31 : $priority-interactive-bulk, + af32 : $priority-interactive-bulk, + af33 : $priority-interactive-bulk, + af41 : $priority-interactive-bulk, + af42 : $priority-interactive-bulk, + af43 : $priority-interactive-bulk, + cs5 : $priority-interactive, + cs6 : $priority-interactive, + cs7 : $priority-interactive, + ef : $priority-interactive, + va : $priority-interactive, } } @@ -88,8 +93,8 @@ table inet filter { type filter hook input priority filter policy drop - ip dscp set 0 - ip6 dscp set 0 + ip dscp set cs0 + ip6 dscp set cs0 tcp dport { 22, 80, 443 } goto input-tcp-service ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }