Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-23 00:10:25 -05:00
Code Issues Projects Releases Packages Wiki Activity

nftables: use DSCP to assign packets to fq bands

Browse source
This commit is contained in:
Daniel Micay 2025-08-29 15:55:18 -04:00
parent 676763b8a5
commit 97d650c7ed
1 changed files with 34 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

34
etc/nftables/nftables-releases.conf
View file

@ -13,6 +13,35 @@ table inet filter {
2a14:3f87:6920:250::100, # 0.releases.grapheneos.org 2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
} }
# based on CAKE diffserv4
map dscp-to-priority {
typeof ip dscp : meta priority
elements = {
cs1 : 2,
lephb : 2,
af11 : 0,
af12 : 0,
af13 : 0,
cs2 : 4,
cs3 : 4,
cs4 : 4,
af21 : 4,
af22 : 4,
af23 : 4,
af31 : 4,
af32 : 4,
af33 : 4,
af41 : 4,
af42 : 4,
af43 : 4,
cs5 : 6,
cs6 : 6,
cs7 : 6,
ef : 6,
va : 6,
}
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -117,6 +146,11 @@ table inet filter {
oif lo goto output-raw-loopback oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject
# translate DSCP to priority for fq bands
meta priority set ip dscp map @dscp-to-priority
meta priority set ip6 dscp map @dscp-to-priority
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }