Sweet! Does that work from 22.03.05 onwards or later? On 22.03.05 I see:
root@OpenWrt-1:~# dnsmasq --version
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
I'm still undecided about moving all the classification to the OpenWrt firewall. It's really hard to figure out how best to integrate this in the most harmonious and user-friendly way.
With future nftables we can do almost everything in nftables including even mirroring packets to the IFBs. In that situation it still seems to make sense to me to have cake-qos-simple generate/load its own separate .nft file using separate table that can be deleted.
I'm tempted just to expand the existing default .nft file and config:
gen_nft_rules()
{
load_config
printf "Generating new default nft.rules file for cake-qos-simple.\n"
mkdir -p "${PREFIX}"
cat > "${PREFIX}/nft.rules.tmp" <<-EOT
# cake-qos-simple nftables rules
# This nft script:
# 1) classifies DSCPs (to supplement or replace those set by LAN clients); and
# 2) stores DSCPs in conntracks for restoration using tc action ctinfo dscp 63 128
table inet cake-qos-simple
delete table inet cake-qos-simple
${nft_rules_vars}
table inet cake-qos-simple {
chain hook-postrouting {
type filter hook postrouting priority mangle + 1
# classify any new, untracked connections on WAN
oifname ${ul_if} ct state new,untracked goto classify-and-store-dscp
}
chain classify-and-store-dscp {
jump classify-dscp
jump store-dscp-in-conntrack
}
chain classify-dscp {
meta l4proto . th dport vmap @rules_proto_dport
# IoT devices (uncomment to use)
ether saddr \$BULK_MACS goto dscp_set_bulk
}
map rules_proto_dport {
type inet_proto . inet_service : verdict
elements = \$PROTO_DPORT_DSCP_MAP
}
# designate packet for cake tin: bulk
chain dscp_set_bulk {
ip dscp set cs1
ip6 dscp set cs1
}
# designate packet for cake tin: besteffort
chain dscp_set_besteffort {
ip dscp set cs0
ip6 dscp set cs0
}
# designate packet for cake tin: video
chain dscp_set_video {
ip dscp set cs2
ip6 dscp set cs2
}
# designate packet for cake tin: voice
chain dscp_set_voice {
ip dscp set cs4
ip6 dscp set cs4
}
chain store-dscp-in-conntrack {
meta nfproto ipv4 ct mark set (@nh,8,8 & 252) >> 2
meta nfproto ipv6 ct mark set (@nh,0,16 & 4032) >> 6
}
}
EOT
if [[ -f "${PREFIX}/nft.rules" ]]
then
printf "Warning: nftables rules file ${PREFIX}/nft.rules already exists.\n"
printf "Saving new nftables rules file as: '${PREFIX}/nft.rules.new'.\n"
mv "${PREFIX}/nft.rules.tmp" "${PREFIX}/nft.rules.new"
else
printf "Saving new nftables rules file as: '${PREFIX}/nft.rules'.\n"
mv "${PREFIX}/nft.rules.tmp" "${PREFIX}/nft.rules"
fi
}
gen_config()
{
printf "Generating new default config for cake-qos-simple.\n"
mkdir -p "${PREFIX}"
cat > "${PREFIX}/config.tmp" <<-EOT
# cake-qos-simple configuration options
ul_if=wan # upload interface
dl_if="" # download interface override (normally left blank and IFB derived for $ul_if ingress)
cake_ul_rate_Mbps=20 # cake upload rate in Mbit/s
cake_dl_rate_Mbps=20 # cake download rate in Mbit/s
cake_ul_options="diffserv4 triple-isolate nat wash ack-filter noatm overhead 0"
cake_dl_options="diffserv4 triple-isolate nat nowash ingress no-ack-filter noatm overhead 0"
overwrite_ul_ect_0_val=0 # overwrite upload ECT(1) values with decimal value (e.g. 0, 1, 2, 3), else "" to disable
overwrite_ul_ect_1_val=0 # overwrite upload ECT(0) values with decimal value (e.g. 0, 1, 2, 3), else "" to disable
overwrite_dl_ect_0_val=0 # overwrite download ECT(1) values with decimal value (e.g. 0, 1, 2, 3), else "" to disable
overwrite_dl_ect_1_val=0 # overwrite download ECT(1) values with decimal value (e.g. 0, 1, 2, 3), else "" to disable
# the following nftables variables will be used to generate a default nft.rules file
nft_rules_vars="# ### START OF CUSTOMISABLE NFT VARS SECTION (DO NOT DELETE THIS LINE) ###
# correspondence between protocol, destination port and DSCPs
# the format is:
# 'protocol' . 'destination port' . dscp_set_bulk OR dscp_set_besteffort OR dscp_set_video OR dscp_set_voice
define PROTO_DPORT_DSCP_MAP = {
tcp . 53 : goto dscp_set_voice, # DNS
udp . 53 : goto dscp_set_voice, # DNS
tcp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 123 : goto dscp_set_voice # NTP
}
# local MAC addresses to set to bulk (e.g. IoT devices)
# replace MAC address below with comma separated entries
define BULK_MACS = {
02:00:00:00:00:00
}
# ### END OF CUSTOMISABLE NFT VARS SECTION (DO NOT DELETE THIS LINE) ###"
EOT
if [[ -f "${PREFIX}/config" ]]
then
printf "WARNING: config file ${PREFIX}/config already exists.\n"
printf "Saving new config file as: '${PREFIX}/config.new'.\n"
mv "${PREFIX}/config.tmp" "${PREFIX}/config.new"
else
printf "Saving new config file as: '${PREFIX}/config'.\n"
mv "${PREFIX}/config.tmp" "${PREFIX}/config"
fi
}
to try to incorporate destination IP address handling.