nftables: replace magic numbers with constants

2025-11-28 10:30:25 -05:00 · 2025-09-15 16:48:51 -04:00 · 2025-09-15 16:48:51 -04:00 · 5f1b0c886d
commit 5f1b0c886d
parent 8bf64de00d
1 changed files with 29 additions and 24 deletions
--- a/etc/nftables/nftables-releases.conf
+++ b/etc/nftables/nftables-releases.conf
@ -13,32 +13,37 @@ table inet filter {
        2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
    }

+    define priority-besteffort = 0
+    define priority-bulk = 2
+    define priority-interactive-bulk = 4
+    define priority-interactive = 6
+
    # based on CAKE diffserv4
    map dscp-to-priority {
        typeof ip dscp : meta priority
        elements = {
-            cs1 : 2,
-            lephb : 2,
-            af11 : 0,
-            af12 : 0,
-            af13 : 0,
-            cs2 : 4,
-            cs3 : 4,
-            cs4 : 4,
-            af21 : 4,
-            af22 : 4,
-            af23 : 4,
-            af31 : 4,
-            af32 : 4,
-            af33 : 4,
-            af41 : 4,
-            af42 : 4,
-            af43 : 4,
-            cs5 : 6,
-            cs6 : 6,
-            cs7 : 6,
-            ef : 6,
-            va : 6,
+            cs1 : $priority-bulk,
+            lephb : $priority-bulk,
+            af11 : $priority-besteffort,
+            af12 : $priority-besteffort,
+            af13 : $priority-besteffort,
+            cs2 : $priority-interactive-bulk,
+            cs3 : $priority-interactive-bulk,
+            cs4 : $priority-interactive-bulk,
+            af21 : $priority-interactive-bulk,
+            af22 : $priority-interactive-bulk,
+            af23 : $priority-interactive-bulk,
+            af31 : $priority-interactive-bulk,
+            af32 : $priority-interactive-bulk,
+            af33 : $priority-interactive-bulk,
+            af41 : $priority-interactive-bulk,
+            af42 : $priority-interactive-bulk,
+            af43 : $priority-interactive-bulk,
+            cs5 : $priority-interactive,
+            cs6 : $priority-interactive,
+            cs7 : $priority-interactive,
+            ef : $priority-interactive,
+            va : $priority-interactive,
        }
    }

@ -88,8 +93,8 @@ table inet filter {
        type filter hook input priority filter
        policy drop

-        ip dscp set 0
-        ip6 dscp set 0
+        ip dscp set cs0
+        ip6 dscp set cs0

        tcp dport { 22, 80, 443 } goto input-tcp-service
        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }