But judging from the PR there is no inversion, DL still handles ingress/internet download traffic and UL still handles internet uploads/egress pretty much like the default version. As I said, I need more guidance to what this PR is intending to achieve before I can comment.
Ill try and explan.
The default script
cake_ul_options="diffserv4 triple-isolate nat wash ack-filter noatm overhead 0
cake_dl_options="diffserv4 triple-isolate nat nowash ingress no-ack-filter noatm overhead 0
cake_ul_rate_Mbps=17 <-- this is my download
cake_dl_rate_Mbps=65 <-- dos not work!
When i apply.
cake_ul_options="diffserv4 dual-srchost nonat wash ack-filter split-gso rtt 100ms pppoe-ptm ether-vlan noatm"
cake_dl_options="diffserv4 dual-dsthost nonat nowash ingress no-ack-filter split-gso rtt 100ms noatm overhead 34"
and then
cake_ul_rate_Mbps=17
cake_dl_rate_Mbps=65
Everything work fine.
Not sure if is a issue with my fritzbox 7530 or is just the ipq40xx target however the fritzbox 4040 is an ipq40xx but sadly no DSL support on that model so cant check.
Here is the thing, you did not change the interface definition, nor the rates, so I am still puzzled what went on.
I would appreciate if we could try to go through this step by step to pin point exactly which of your changes made the observed difference.
So I would like to ask you to revert cake_ul_options and cake_dl_options back to @Lynx's defaults of:
cake_ul_options="diffserv4 triple-isolate nat wash ack-filter noatm overhead 0
cake_dl_options="diffserv4 triple-isolate nat nowash ingress no-ack-filter noatm overhead 0
and then
- post the output of
tc -s qdisc
before the capacity test in 2) - post a screenshot of the results of https://speed.cloudflare.com
- post the output of
tc -s qdisc
after the capacity test in 2)
Once we have that we can look for the next steps. And no the defaults are not perfect for your link, but that is orthogonal to the question what went wrong in your case.
Thanks in advance...
Hello @Lynx @moeller0 , where in the nft.rules file should I put these rules correctly, if you could show me how nft.rule would look edited correctly, I would appreciate it.
config rule
option name 'Consoles ps5'
option proto 'udp'
list src_ip '192.168.1.50
list dest_port '!80'
list dest_port '!443'
option class 'cs4'
option family 'ipv4'
option counter '1'
config rule
option name 'Discord Voice'
option proto 'udp'
option dest_port '50000-65535'
option class 'ef'
config rule
option name 'Fifa'
option proto 'udp'
option dest_port '30000-65535'
option src_port '3074'
option src_ip '192.168.1.50'
option class 'cs4'
option counter '1'
By the way I am using version 23.05.0 of openwrt
Classifying with such firewall rules using the LuCi firewall interface (which will generate such corresponding firewall config entries) is just fine. Yes you could have them all in the one place in your cake-qos-simple nftables file, but the net effect won’t be any different. So I’d just leverage the simplicity of the LuCi firewall interface here.
/root/cake-qos-simple/nft.rules:23:8-11: Error: syntax error, unexpected rule, expecting string or last
config rule
^^^^
/root/cake-qos-simple/nft.rules:24:21-21: Error: syntax error, unexpected junk
option name 'Consoles ps5'
^
/root/cake-qos-simple/nft.rules:25:22-22: Error: syntax error, unexpected junk
option proto 'udp'
^
/root/cake-qos-simple/nft.rules:26:14-19: Error: syntax error, unexpected string
list src_ip '192.168.1.50
^^^^^^
/root/cake-qos-simple/nft.rules:27:7-15: Error: syntax error, unexpected string
list dest_port '!80'
^^^^^^^^^
/root/cake-qos-simple/nft.rules:28:7-15: Error: syntax error, unexpected string
list dest_port '!443'
^^^^^^^^^
/root/cake-qos-simple/nft.rules:29:15-15: Error: syntax error, unexpected junk
option class 'cs4'
^
/root/cake-qos-simple/nft.rules:30:23-23: Error: syntax error, unexpected junk
option family 'ipv4'
^
/root/cake-qos-simple/nft.rules:31:9-15: Error: syntax error, unexpected counter, expecting string or last
option counter '1'
^^^^^^^
Validity check of nft.rules file failed.
root@OpenWrt:~#
When adding these rules I get an error? By the way, just a beginner and this is just me trying to find a script for my games.
If you knew how to translate them correctly in your script I would appreciate it.
Where did you get these? Looks like you’ve tried to add some firewall config lines to an nft file.
I would just add the corresponding entries in the LuCi firewall. Or I can translate all the lines for £2500 if you are interested.
Sorry the delay.
I went back to the release 23.05.2 today and it seems everything is ok as i was using snapshots what is on 6.1.x kernel where 23.05.2 is 5.15.x.
Before cloudflare speedtest
root@DSL:~# tc -s qdisc
root@DSL:~/cake-qos-simple# tc -s qdisc
qdisc noqueue 0: dev lo root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc mq 0: dev eth0 root
Sent 10325650658 bytes 66686090 pkt (dropped 55, overlimits 0 requeues 1216)
backlog 0b 0p requeues 1216
qdisc fq_codel 0: dev eth0 parent :4 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 20707618408 bytes 14256920 pkt (dropped 28, overlimits 0 requeues 205)
backlog 0b 0p requeues 205
maxpacket 1514 drop_overlimit 0 new_flow_count 283 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc fq_codel 0: dev eth0 parent :3 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 22865272919 bytes 16366573 pkt (dropped 5, overlimits 0 requeues 417)
backlog 0b 0p requeues 417
maxpacket 7570 drop_overlimit 0 new_flow_count 198 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc fq_codel 0: dev eth0 parent :2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 27657751540 bytes 18981850 pkt (dropped 20, overlimits 0 requeues 292)
backlog 0b 0p requeues 292
maxpacket 1506 drop_overlimit 0 new_flow_count 358 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc fq_codel 0: dev eth0 parent :1 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 24994353711 bytes 17080747 pkt (dropped 2, overlimits 0 requeues 302)
backlog 0b 0p requeues 302
maxpacket 1514 drop_overlimit 0 new_flow_count 114 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev lan1 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan2 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan3 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan4 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev br-lan root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev phy0-ap0 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev phy1-ap0 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc fq_codel 0: dev dsl0 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 4592823637 bytes 53946085 pkt (dropped 37, overlimits 0 requeues 142071)
backlog 0b 0p requeues 142071
maxpacket 1514 drop_overlimit 0 new_flow_count 25286 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev dsl0.101 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc cake 1: dev pppoe-wan root refcnt 2 bandwidth 17Mbit diffserv4 triple-isolate nat wash ack-filter split-gso rtt 100ms noatm overhead 0
Sent 74893 bytes 1281 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
memory used: 2624b of 4Mb
capacity estimate: 17Mbit
min/max network layer size: 29 / 1228
min/max overhead-adjusted size: 29 / 1228
average network hdr offset: 0
Bulk Best Effort Video Voice
thresh 1062Kbit 17Mbit 8500Kbit 4250Kbit
target 17.1ms 5ms 5ms 5ms
interval 112ms 100ms 100ms 100ms
pk_delay 27us 0us 0us 15us
av_delay 15us 0us 0us 0us
sp_delay 11us 0us 0us 0us
backlog 0b 0b 0b 0b
pkts 1279 0 0 2
bytes 74835 0 0 58
way_inds 0 0 0 0
way_miss 4 0 0 2
way_cols 0 0 0 0
drops 0 0 0 0
marks 0 0 0 0
ack_drop 0 0 0 0
sp_flows 0 0 0 1
bk_flows 1 0 0 0
un_flows 0 0 0 0
max_len 1228 0 0 29
quantum 300 518 300 300
qdisc ingress ffff: dev pppoe-wan parent ffff:fff1 ----------------
Sent 5934551 bytes 3990 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc cake 1: dev ifb-pppoe-wan root refcnt 2 bandwidth 60Mbit diffserv4 triple-isolate nat nowash ingress no-ack-filter split-gso rtt 100ms noatm overhead 0
Sent 5931567 bytes 3988 pkt (dropped 2, overlimits 6029 requeues 0)
backlog 0b 0p requeues 0
memory used: 166Kb of 4Mb
capacity estimate: 60Mbit
min/max network layer size: 52 / 1492
min/max overhead-adjusted size: 52 / 1492
average network hdr offset: 0
Bulk Best Effort Video Voice
thresh 3750Kbit 60Mbit 30Mbit 15Mbit
target 5ms 5ms 5ms 5ms
interval 100ms 100ms 100ms 100ms
pk_delay 7.57ms 0us 0us 0us
av_delay 5.99ms 0us 0us 0us
sp_delay 1.56ms 0us 0us 0us
backlog 0b 0b 0b 0b
pkts 3990 0 0 0
bytes 5934551 0 0 0
way_inds 0 0 0 0
way_miss 4 0 0 0
way_cols 0 0 0 0
drops 2 0 0 0
marks 0 0 0 0
ack_drop 0 0 0 0
sp_flows 0 0 0 0
bk_flows 2 0 0 0
un_flows 0 0 0 0
max_len 1492 0 0 0
quantum 300 1514 915 457
After doing a cloudflare speed
root@DSL:~/cake-qos-simple# tc -s qdisc
qdisc noqueue 0: dev lo root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc mq 0: dev eth0 root
Sent 10411108207 bytes 66764914 pkt (dropped 55, overlimits 0 requeues 1216)
backlog 0b 0p requeues 1216
qdisc fq_codel 0: dev eth0 parent :4 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 20717388310 bytes 14265616 pkt (dropped 28, overlimits 0 requeues 205)
backlog 0b 0p requeues 205
maxpacket 1514 drop_overlimit 0 new_flow_count 283 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc fq_codel 0: dev eth0 parent :3 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 22866069527 bytes 16368997 pkt (dropped 5, overlimits 0 requeues 417)
backlog 0b 0p requeues 417
maxpacket 7570 drop_overlimit 0 new_flow_count 198 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc fq_codel 0: dev eth0 parent :2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 27659626493 bytes 18983809 pkt (dropped 20, overlimits 0 requeues 292)
backlog 0b 0p requeues 292
maxpacket 1506 drop_overlimit 0 new_flow_count 358 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc fq_codel 0: dev eth0 parent :1 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 25067369797 bytes 17146492 pkt (dropped 2, overlimits 0 requeues 302)
backlog 0b 0p requeues 302
maxpacket 1514 drop_overlimit 0 new_flow_count 114 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev lan1 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan2 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan3 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan4 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev br-lan root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev phy0-ap0 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc noqueue 0: dev phy1-ap0 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc fq_codel 0: dev dsl0 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
Sent 4649395419 bytes 54065938 pkt (dropped 37, overlimits 0 requeues 142129)
backlog 0b 0p requeues 142129
maxpacket 1514 drop_overlimit 0 new_flow_count 25305 ecn_mark 0
new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev dsl0.101 root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc cake 1: dev pppoe-wan root refcnt 2 bandwidth 17Mbit diffserv4 triple-isolate nat wash ack-filter split-gso rtt 100ms noatm overhead 0
Sent 52772158 bytes 101027 pkt (dropped 641, overlimits 57438 requeues 0)
backlog 0b 0p requeues 0
memory used: 362240b of 4Mb
capacity estimate: 17Mbit
min/max network layer size: 29 / 1492
min/max overhead-adjusted size: 29 / 1492
average network hdr offset: 0
Bulk Best Effort Video Voice
thresh 1062Kbit 17Mbit 8500Kbit 4250Kbit
target 17.1ms 5ms 5ms 5ms
interval 112ms 100ms 100ms 100ms
pk_delay 34us 16us 0us 365us
av_delay 15us 0us 0us 19us
sp_delay 10us 0us 0us 17us
backlog 0b 0b 0b 0b
pkts 101567 4 0 97
bytes 52828970 298 0 6794
way_inds 3395 0 0 0
way_miss 147 2 0 78
way_cols 0 0 0 0
drops 22 0 0 0
marks 0 0 0 0
ack_drop 619 0 0 0
sp_flows 1 0 0 0
bk_flows 1 0 0 0
un_flows 0 0 0 0
max_len 56160 109 0 247
quantum 300 518 300 300
qdisc ingress ffff: dev pppoe-wan parent ffff:fff1 ----------------
Sent 262609661 bytes 198926 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc cake 1: dev ifb-pppoe-wan root refcnt 2 bandwidth 60Mbit diffserv4 triple-isolate nat nowash ingress no-ack-filter split-gso rtt 100ms noatm overhead 0
Sent 262551705 bytes 198887 pkt (dropped 39, overlimits 288214 requeues 0)
backlog 0b 0p requeues 0
memory used: 270Kb of 4Mb
capacity estimate: 60Mbit
min/max network layer size: 36 / 1492
min/max overhead-adjusted size: 36 / 1492
average network hdr offset: 0
Bulk Best Effort Video Voice
thresh 3750Kbit 60Mbit 30Mbit 15Mbit
target 5ms 5ms 5ms 5ms
interval 100ms 100ms 100ms 100ms
pk_delay 18.9ms 25us 14us 219us
av_delay 16.6ms 2us 0us 11us
sp_delay 14.1ms 2us 0us 11us
backlog 0b 0b 0b 0b
pkts 198815 30 3 78
bytes 262597680 1358 132 10491
way_inds 12029 0 0 0
way_miss 126 18 3 78
way_cols 0 0 0 0
drops 39 0 0 0
marks 0 0 0 0
ack_drop 0 0 0 0
sp_flows 0 0 1 1
bk_flows 1 0 0 0
un_flows 0 0 0 0
max_len 1492 109 44 351
quantum 300 1514 915 457
This is all the default settings from cake-qos-simple however there is something that is confusing me as im having a little play around
When i change to dual-srchost/dual-dsthost, the cake packets are in the correct order as from my understanding, my vmware and Fedora's download mirror should be under "Best Effort" anything eles should drop to bulk class, Ill try and explain....
When i start a download on my vmware machine, it go to bulk? this should be in best effort.
chain classify-dscp {
meta l4proto . th dport vmap @rules_proto_dport
# IoT devices (uncomment to use)
ip saddr 192.168.1.253 counter goto dscp_set_besteffort # vmware test machine
ip daddr 185.xx.xx.xx counter goto dscp_set_besteffort # Fedora download mirror
counter goto dscp_set_bulk # drop all other traffic to bulk
Sent 256182032 bytes 173042 pkt (dropped 7, overlimits 256486 requeues 0)
backlog 0b 0p requeues 0
memory used: 220Kb of 4Mb
capacity estimate: 60Mbit
min/max network layer size: 36 / 1492
min/max overhead-adjusted size: 70 / 1526
average network hdr offset: 0
Bulk Best Effort Video Voice
thresh 3750Kbit 60Mbit 30Mbit 15Mbit
target 5ms 5ms 5ms 5ms
interval 100ms 100ms 100ms 100ms
pk_delay 12.1ms 419us 18us 214us
av_delay 10.8ms 24us 0us 4us
sp_delay 6.77ms 23us 0us 4us
backlog 0b 0b 0b 0b
pkts 172946 73 4 26
bytes 256184338 4216 192 3730
way_inds 0 0 0 0
way_miss 58 45 4 24
way_cols 0 0 0 0
drops 7 0 0 0
marks 0 0 0 0
ack_drop 0 0 0 0
sp_flows 1 1 0 0
bk_flows 1 0 0 0
un_flows 0 0 0 0
max_len 1492 179 60 321
quantum 300 1514 915 457
Now if i use triple-isolate and then start a download on my vmware machine, it go to best effort where it should be by using triple-isolate.
Bulk Best Effort Video Voice
thresh 3750Kbit 60Mbit 30Mbit 15Mbit
target 5ms 5ms 5ms 5ms
interval 100ms 100ms 100ms 100ms
pk_delay 2.63ms 8.14ms 6us 115us
av_delay 2.39ms 6.96ms 0us 4us
sp_delay 276us 142us 0us 4us
backlog 0b 0b 0b 0b
pkts 6028 71923 1 36
bytes 8265723 106987381 44 5316
way_inds 0 0 0 0
way_miss 79 19 1 34
way_cols 0 0 0 0
drops 2 157 0 0
marks 0 0 0 0
ack_drop 0 0 0 0
sp_flows 0 1 0 3
bk_flows 1 0 0 0
un_flows 0 0 0 0
max_len 1492 1492 44 254
quantum 300 1514 915 457
EDIT the dual-srchost/dual-dsthost is also over LAN, I downloaded a game from my sons Xbox to mine and i found that it affects the LAN aswell as the PPPoE (WAN) interface.
@moeller0 you're kind of an Apple guy aren't you? Is it possible to set DSCPs at the application level on an iMac in the same way that you can in Windows:
I ask because my wife now has an iMac and so I'm curious.
If not, I can always just go down the port route.
I am, and the answer is no, you can't set them an app level.
Only partially, that is I absolutely love their laptops (and I despise their high prices) and I am fine with the GUI/OS in general. But regarding setting DSCPs I fear that macos is just as bad as Linux is in that regard, and expects this capability to be part of an application and not something the OS offers to do for you, at least to my knowledge...
+1; but I do not claim to have authoritative knowledge in this regard.
Based on:
Under:
I just tried enabling 'Insert Quality of Service (QoS) markers for real-time media traffic.
If I am understanding the documentation correctly, this apparently should make clients set:
Admittedly it seems a bit too good to be true. I'll report back whether this change results in DSCP values getting set by the MacOS Teams client.
Given that they also state:
Important
Apple-based systems: The only instance that we know of where Apple-based devices actually set the DSCP value is if all the following conditions are met:
iOS.
WiFi network.
Cisco switches.
The network administrator has added the app to the approved list.
I would certainly try to confirm via packetcaptures... my hunch is Apple might set WiFi user priorities (UPs) directly instead of setting DSCPs, but that is pure conjecture...
And to be fair I think I remember seeing the packets use ports in the 60000 range when I looked at tcpdump (despite the port ranges in the 50000 range specified). So I'm also dubious about this.
Pity Apple haven't addressed setting DSCPs at the application level like Microsoft have.
If the Apple teams client does not respect the organization-wide settings nor even use the normal port ranges, this makes setting DSCPs (at the router, not iMac) even harder.
Is setting DSCP based on IP sets for Teams/Zoom reasonable? I forget.
It depends... if teams zoom are served from unique IPs then that can work, if these are using shared IP addresses that can back fire.
However the first thing I would check is, whether any prioritisation is needed at all... and only then I would go to see whether I could generate some heuristic rules... (I dislike heuristic rules based on potentially variable things like IP addresses and port numbers, but sometime you need to play with the information you have not the one you wish to have...)
I would set a rule to mark based on those source port ranges, proto udp, and destination ports 3478-3481.
For your reference, see following the dscpclassify
rules I use for Teams:
config ipset
option name 'msteams_4'
option family 'ipv4'
option interval '1'
option automerge '1'
list entry '13.107.64.0/18'
list entry '52.112.0.0/14'
list entry '52.122.0.0/15'
config ipset
option name 'msteams_6'
option family 'ipv6'
option interval '1'
option auto-merge '1'
list entry '2603:1063::/39'
config rule
option name 'Teams voice'
option proto 'udp'
option src_port '50000-50019'
option dest_port '3478-3481'
option class 'ef'
option counter '1'
config rule
option name 'Teams video'
option proto 'udp'
option src_port '50020-50039'
option dest_port '3478-3481'
option class 'af41'
option counter '1'
config rule
option name 'Teams sharing'
option proto 'udp'
option src_port '50040-50059'
option dest_port '3478-3481'
option class 'af21'
option counter '1'
config rule
option name 'Teams TCP_4'
option proto 'tcp'
option dest_ip '@msteams_4'
list src_port '1000-10000'
list src_port '16000-26000'
list src_port '50000-65000'
option dest_port '443'
option class 'af41'
option family 'ipv4'
option counter '1'
config rule
option name 'Teams TCP_6'
option proto 'tcp'
option dest_ip '@msteams_6'
list src_port '1000-10000'
list src_port '16000-26000'
list src_port '50000-65000'
option dest_port '443'
option class 'af41'
option family 'ipv6'
option counter '1'
Do you ever see hits on the tcp rules?
Yes, when I use the browser in place of the Teams app.
@dave14305 I believe nftables now has both an ingress hook and an egress hook. And it also supports 'fwd to' to mirror packets to an IFB interface (see e.g. my post here).
At the moment I set DSCPs to conntrack using nftables:
and use tc's ctinfo to restore DSCPs from conntrack:
Has an equivalent ctinfo functionaltiy for restoration of DSCPs from conntrack now been added to nftables such that I could actually now replace the tc calls with the equivalent nftables calls? That is, have nftables restore DSCPs from conntrack and then mirror the packets to an IFB interface (rather than use tc for this).