From 97d650c7ed1c332e591535d55d07e1a5d2ee4cbe Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Fri, 29 Aug 2025 15:55:18 -0400
Subject: [PATCH] nftables: use DSCP to assign packets to fq bands

---
 etc/nftables/nftables-releases.conf | 34 +++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/etc/nftables/nftables-releases.conf b/etc/nftables/nftables-releases.conf
index b1b3657..9fdcc90 100644
--- a/etc/nftables/nftables-releases.conf
+++ b/etc/nftables/nftables-releases.conf
@@ -13,6 +13,35 @@ table inet filter {
         2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
     }
 
+    # based on CAKE diffserv4
+    map dscp-to-priority {
+        typeof ip dscp : meta priority
+        elements = {
+            cs1 : 2,
+            lephb : 2,
+            af11 : 0,
+            af12 : 0,
+            af13 : 0,
+            cs2 : 4,
+            cs3 : 4,
+            cs4 : 4,
+            af21 : 4,
+            af22 : 4,
+            af23 : 4,
+            af31 : 4,
+            af32 : 4,
+            af33 : 4,
+            af41 : 4,
+            af42 : 4,
+            af43 : 4,
+            cs5 : 6,
+            cs6 : 6,
+            cs7 : 6,
+            ef : 6,
+            va : 6,
+        }
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -117,6 +146,11 @@ table inet filter {
 
         oif lo goto output-raw-loopback
         skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject
+
+        # translate DSCP to priority for fq bands
+        meta priority set ip dscp map @dscp-to-priority
+        meta priority set ip6 dscp map @dscp-to-priority
+
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }