nftables: use DSCP to assign packets to fq bands

2025-11-19 22:42:24 -05:00 · 2025-08-29 15:55:18 -04:00 · 2025-08-29 15:55:18 -04:00 · 97d650c7ed
commit 97d650c7ed
parent 676763b8a5
1 changed files with 34 additions and 0 deletions
--- a/etc/nftables/nftables-releases.conf
+++ b/etc/nftables/nftables-releases.conf
@ -13,6 +13,35 @@ table inet filter {
        2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
    }

+    # based on CAKE diffserv4
+    map dscp-to-priority {
+        typeof ip dscp : meta priority
+        elements = {
+            cs1 : 2,
+            lephb : 2,
+            af11 : 0,
+            af12 : 0,
+            af13 : 0,
+            cs2 : 4,
+            cs3 : 4,
+            cs4 : 4,
+            af21 : 4,
+            af22 : 4,
+            af23 : 4,
+            af31 : 4,
+            af32 : 4,
+            af33 : 4,
+            af41 : 4,
+            af42 : 4,
+            af43 : 4,
+            cs5 : 6,
+            cs6 : 6,
+            cs7 : 6,
+            ef : 6,
+            va : 6,
+        }
+    }
+
    set ip-connlimit-ssh {
        type ipv4_addr
        flags dynamic
@ -117,6 +146,11 @@ table inet filter {

        oif lo goto output-raw-loopback
        skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject
+
+        # translate DSCP to priority for fq bands
+        meta priority set ip dscp map @dscp-to-priority
+        meta priority set ip6 dscp map @dscp-to-priority
+
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }