i edit the file using winscp
i did a fresh installation where do i go from here
root@OpenWrt:~# nft list table inet dscpclassify
table inet dscpclassify {
set threaded_clients {
type ipv4_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_clients6 {
type ipv6_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_services {
type ipv4_addr . ipv4_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_services6 {
type ipv6_addr . ipv6_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
map ct_dscp {
type mark : verdict
elements = { 0x00000000 : goto dscp_set_cs0, 0x00000001 : goto d scp_set_le, 0x00000008 : goto dscp_set_cs1, 0x0000000a : goto dscp_set_af11, 0x0 000000c : goto dscp_set_af12,
0x0000000e : goto dscp_set_af13, 0x00000010 : goto dscp_set_cs2, 0x00000012 : goto dscp_set_af21, 0x00000014 : goto dscp_set_af22, 0x00000016 : goto dscp_set_af23,
0x00000018 : goto dscp_set_cs3, 0x0000001a : goto d scp_set_af31, 0x0000001c : goto dscp_set_af32, 0x0000001e : goto dscp_set_af33, 0x00000020 : goto dscp_set_cs4,
0x00000022 : goto dscp_set_af41, 0x00000024 : goto dscp_set_af42, 0x00000026 : goto dscp_set_af43, 0x00000028 : goto dscp_set_cs5, 0x0000002c : goto dscp_set_va,
0x0000002e : goto dscp_set_ef, 0x00000030 : goto ds cp_set_cs6, 0x00000038 : goto dscp_set_cs7 }
}
map ct_wmm {
type mark : verdict
elements = { 0x00000000 : goto dscp_set_cs0, 0x00000001 : goto d scp_set_le, 0x00000008 : goto dscp_set_cs1, 0x0000000a : goto dscp_set_cs0, 0x00 00000c : goto dscp_set_cs0,
0x0000000e : goto dscp_set_cs0, 0x00000010 : goto d scp_set_cs0, 0x00000012 : goto dscp_set_cs3, 0x00000014 : goto dscp_set_cs3, 0x0 0000016 : goto dscp_set_cs3,
0x00000018 : goto dscp_set_cs4, 0x0000001a : goto d scp_set_cs4, 0x0000001c : goto dscp_set_cs4, 0x0000001e : goto dscp_set_cs4, 0x0 0000020 : goto dscp_set_cs4,
0x00000022 : goto dscp_set_cs4, 0x00000024 : goto d scp_set_cs4, 0x00000026 : goto dscp_set_cs4, 0x00000028 : goto dscp_set_cs5, 0x0 000002c : goto dscp_set_cs6,
0x0000002e : goto dscp_set_cs6, 0x00000030 : goto d scp_set_cs7, 0x00000038 : goto dscp_set_cs7 }
}
map dscp_ct {
type dscp : verdict
elements = { cs0 : goto ct_set_cs0,
lephb : goto ct_set_le,
cs1 : goto ct_set_cs1,
af11 : goto ct_set_af11,
af12 : goto ct_set_af12,
af13 : goto ct_set_af13,
cs2 : goto ct_set_cs2,
af21 : goto ct_set_af21,
af22 : goto ct_set_af22,
af23 : goto ct_set_af23,
cs3 : goto ct_set_cs3,
af31 : goto ct_set_af31,
af32 : goto ct_set_af32,
af33 : goto ct_set_af33,
cs4 : goto ct_set_cs4,
af41 : goto ct_set_af41,
af42 : goto ct_set_af42,
af43 : goto ct_set_af43,
cs5 : goto ct_set_cs5,
va : goto ct_set_va,
ef : goto ct_set_ef,
cs6 : goto ct_set_cs6,
cs7 : goto ct_set_cs7 }
}
set xcloud {
type ipv4_addr
flags interval
auto-merge
elements = { 13.104.0.0/14 }
}
set xcloud6 {
type ipv6_addr
flags interval
auto-merge
elements = { 2603:1000::/24 }
}
chain dscp_set_cs0 {
ip dscp set cs0
ip6 dscp set cs0
}
chain dscp_set_le {
ip dscp set lephb
ip6 dscp set lephb
}
chain dscp_set_cs1 {
ip dscp set cs1
ip6 dscp set cs1
}
chain dscp_set_af11 {
ip dscp set af11
ip6 dscp set af11
}
chain dscp_set_af12 {
ip dscp set af12
ip6 dscp set af12
}
chain dscp_set_af13 {
ip dscp set af13
ip6 dscp set af13
}
chain dscp_set_cs2 {
ip dscp set cs2
ip6 dscp set cs2
}
chain dscp_set_af21 {
ip dscp set af21
ip6 dscp set af21
}
chain dscp_set_af22 {
ip dscp set af22
ip6 dscp set af22
}
chain dscp_set_af23 {
ip dscp set af23
ip6 dscp set af23
}
chain dscp_set_cs3 {
ip dscp set cs3
ip6 dscp set cs3
}
chain dscp_set_af31 {
ip dscp set af31
ip6 dscp set af31
}
chain dscp_set_af32 {
ip dscp set af32
ip6 dscp set af32
}
chain dscp_set_af33 {
ip dscp set af33
ip6 dscp set af33
}
chain dscp_set_cs4 {
ip dscp set cs4
ip6 dscp set cs4
}
chain dscp_set_af41 {
ip dscp set af41
ip6 dscp set af41
}
chain dscp_set_af42 {
ip dscp set af42
ip6 dscp set af42
}
chain dscp_set_af43 {
ip dscp set af43
ip6 dscp set af43
}
chain dscp_set_cs5 {
ip dscp set cs5
ip6 dscp set cs5
}
chain dscp_set_va {
ip dscp set va
ip6 dscp set va
}
chain dscp_set_ef {
ip dscp set ef
ip6 dscp set ef
}
chain dscp_set_cs6 {
ip dscp set cs6
ip6 dscp set cs6
}
chain dscp_set_cs7 {
ip dscp set cs7
ip6 dscp set cs7
}
chain ct_set_cs0 {
ct mark set ct mark & 0xffffff40 | 0x00000040
}
chain ct_set_le {
ct mark set ct mark & 0xffffff01 | 0x00000001
}
chain ct_set_cs1 {
ct mark set ct mark & 0xffffff08 | 0x00000008
}
chain ct_set_af11 {
ct mark set ct mark & 0xffffff0a | 0x0000000a
}
chain ct_set_af12 {
ct mark set ct mark & 0xffffff0c | 0x0000000c
}
chain ct_set_af13 {
ct mark set ct mark & 0xffffff0e | 0x0000000e
}
chain ct_set_cs2 {
ct mark set ct mark & 0xffffff10 | 0x00000010
}
chain ct_set_af21 {
ct mark set ct mark & 0xffffff12 | 0x00000012
}
chain ct_set_af22 {
ct mark set ct mark & 0xffffff14 | 0x00000014
}
chain ct_set_af23 {
ct mark set ct mark & 0xffffff16 | 0x00000016
}
chain ct_set_cs3 {
ct mark set ct mark & 0xffffff18 | 0x00000018
}
chain ct_set_af31 {
ct mark set ct mark & 0xffffff1a | 0x0000001a
}
chain ct_set_af32 {
ct mark set ct mark & 0xffffff1c | 0x0000001c
}
chain ct_set_af33 {
ct mark set ct mark & 0xffffff1e | 0x0000001e
}
chain ct_set_cs4 {
ct mark set ct mark & 0xffffff20 | 0x00000020
}
chain ct_set_af41 {
ct mark set ct mark & 0xffffff22 | 0x00000022
}
chain ct_set_af42 {
ct mark set ct mark & 0xffffff24 | 0x00000024
}
chain ct_set_af43 {
ct mark set ct mark & 0xffffff26 | 0x00000026
}
chain ct_set_cs5 {
ct mark set ct mark & 0xffffff28 | 0x00000028
}
chain ct_set_va {
ct mark set ct mark & 0xffffff2c | 0x0000002c
}
chain ct_set_ef {
ct mark set ct mark & 0xffffff2e | 0x0000002e
}
chain ct_set_cs6 {
ct mark set ct mark & 0xffffff30 | 0x00000030
}
chain ct_set_cs7 {
ct mark set ct mark & 0xffffff38 | 0x00000038
}
chain input {
type filter hook input priority filter + 2; policy accept;
iifname "lo" return
ct mark & 0x000000ff == 0x00000000 ct direction original jump st atic_classify
ct mark & 0x00000080 == 0x00000080 jump dynamic_classify
}
chain postrouting {
type filter hook postrouting priority filter + 2; policy accept;
oifname "lo" return
ct mark & 0x000000ff == 0x00000000 ct direction original jump st atic_classify
ct mark & 0x00000080 == 0x00000080 jump dynamic_classify
ct mark & 0x0000003f vmap @ct_dscp
}
chain static_classify {
meta l4proto { tcp, udp } th dport { 53, 853, 5353 } goto ct_set _cs5 comment "DNS"
meta l4proto { tcp, udp } ip6 daddr { 2001:4860:4860::8844, 2001 :4860:4860::8888, 2606:4700:4700::1001, 2606:4700:4700::1111, 2620:fe::9, 2620:f e::11, 2620:fe::fe, 2620:fe::fe:11, 2a10:50c0::ad1:ff, 2a10:50c0::ad2:ff, 2a10:5 0c0::ded:ff } th dport 443 goto ct_set_cs5 comment "DoH"
meta l4proto { tcp, udp } ip daddr { 1.0.0.1, 1.1.1.1, 8.8.4.4, 8.8.8.8, 9.9.9.9, 9.9.9.11, 94.140.14.0/24, 149.112.112.11, 149.112.112.112 } th dport 443 goto ct_set_cs5 comment "DoH"
udp dport { 67, 68 } goto ct_set_cs5 comment "BOOTP/DHCP"
udp dport 123 goto ct_set_cs5 comment "NTP"
tcp dport 22 goto ct_set_cs2 comment "SSH"
ip daddr @xcloud udp dport { 1000-1150, 9002 } goto ct_set_af41 comment "Xbox Cloud Gaming"
ip6 daddr @xcloud6 udp dport { 1000-1150, 9002 } goto ct_set_af4 1 comment "Xbox Cloud Gaming IPv6"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50000-500 19 goto ct_set_ef comment "Microsoft Teams voice"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp ort 3478-3481 udp sport 50000-50019 goto ct_set_ef comment "Microsoft Teams voic e"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50020-500 39 goto ct_set_af41 comment "Microsoft Teams video"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp ort 3478-3481 udp sport 50020-50039 goto ct_set_af41 comment "Microsoft Teams vi deo"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50040-500 59 goto ct_set_af21 comment "Microsoft Teams sharing"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp ort 3478-3481 udp sport 50040-50059 goto ct_set_af21 comment "Microsoft Teams sh aring"
ip dscp != { cs0, cs6, cs7 } iifname != "wan" ip dscp vmap @dscp _ct
ip6 dscp != { cs0, cs6, cs7 } iifname != "wan" ip6 dscp vmap @ds cp_ct
meta l4proto != { tcp, udp } goto ct_set_cs0
ct mark set ct mark & 0xffffff80 | 0x00000080
}
chain dynamic_classify {
ct status & seen-reply != seen-reply return
ct direction reply goto dynamic_classify_reply
ip saddr . th sport . meta l4proto @threaded_clients goto thread ed_client
ip6 saddr . th sport . meta l4proto @threaded_clients6 goto thre aded_client
ip saddr . ip daddr & 255.255.255.0 . th dport . meta l4proto @t hreaded_services goto threaded_service
ip6 saddr . ip6 daddr & ffff:ffff:ffff:: . th dport . meta l4pro to @threaded_services6 goto threaded_service
}
chain dynamic_classify_reply {
ct reply packets 1 jump established_connection
ip daddr . th dport . meta l4proto @threaded_clients goto thread ed_client_reply
ip6 daddr . th dport . meta l4proto @threaded_clients6 goto thre aded_client_reply
ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto @t hreaded_services goto threaded_service_reply
ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4pro to @threaded_services6 goto threaded_service_reply
}
chain established_connection {
meter tc_detect size 65535 { ip daddr . th dport . meta l4proto timeout 5s limit rate over 9/minute } add @threaded_clients { ip daddr . th dpor t . meta l4proto timeout 30s }
meter tc_detect6 size 65535 { ip6 daddr . th dport . meta l4prot o timeout 5s limit rate over 9/minute } add @threaded_clients6 { ip6 daddr . th dport . meta l4proto timeout 30s }
meter ts_detect size 65535 { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 5s limit rate over 2/minute } add @threaded_s ervices { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 30s }
meter ts_detect6 size 65535 { ip6 daddr . ip6 saddr & ffff:ffff: ffff:: . th sport . meta l4proto timeout 5s limit rate over 2/minute } add @thre aded_services6 { ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4pr oto timeout 30s }
}
chain threaded_client {
meter tc_orig_bulk size 65535 { ip saddr . th sport . meta l4pro to timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients { ip sa ddr . th sport . meta l4proto timeout 5m } goto ct_set_le
meter tc_orig_bulk6 size 65535 { ip6 saddr . th sport . meta l4p roto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients6 { ip 6 saddr . th sport . meta l4proto timeout 5m } goto ct_set_le
}
chain threaded_client_reply {
meter tc_reply_bulk size 65535 { ip daddr . th dport . meta l4pr oto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients { ip d addr . th dport . meta l4proto timeout 5m } goto ct_set_le
meter tc_reply_bulk6 size 65535 { ip6 daddr . th dport . meta l4 proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients6 { i p6 daddr . th dport . meta l4proto timeout 5m } goto ct_set_le
}
chain threaded_service {
ct original bytes < 1000000 return
update @threaded_services { ip saddr . ip daddr & 255.255.255.0 . th dport . meta l4proto timeout 5m }
update @threaded_services6 { ip6 saddr . ip6 daddr & ffff:ffff:f fff:: . th dport . meta l4proto timeout 5m }
goto ct_set_af13
}
chain threaded_service_reply {
ct reply bytes < 1000000 return
update @threaded_services { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 5m }
update @threaded_services6 { ip6 daddr . ip6 saddr & ffff:ffff:f fff:: . th sport . meta l4proto timeout 5m }
goto ct_set_af13
}
}
root@OpenWrt:~# chain static_classify {
-ash: chain: not found
root@OpenWrt:~# meta l4proto { tcp, udp } th dport { 53, 853, 5353 } goto ct_set
_cs5 comment "DNS"
-ash: meta: not found
root@OpenWrt:~# meta l4proto { tcp, udp } ip6 daddr { 2001:4860:4860::8844, 2001
:4860:4860::8888, 2606:4700:4700::1001, 2606:4700:4700::1111, 2620:fe::9, 2620:f
e::11, 2620:fe::fe, 2620:fe::fe:11, 2a10:50c0::ad1:ff, 2a10:50c0::ad2:ff, 2a10:5
0c0::d
-ash: meta: not found
root@OpenWrt:~# meta l4proto { tcp, udp } ip daddr { 1.0.0.1, 1.1.1.1, 8.8.4.4,
8.8.8.8, 9.9.9.9, 9.9.9.11, 94.140.14.0/24, 149.112.112.11, 149.112.112.112 } th
dport 443 goto ct_set_cs5 comment "DoH"
-ash: meta: not found
root@OpenWrt:~# udp dport { 67, 68 } goto ct_set_cs5 comment "BOOTP/DHCP"
-ash: udp: not found
root@OpenWrt:~# udp dport 123 goto ct_set_cs5 comment "NTP"
-ash: udp: not found
root@OpenWrt:~# tcp dport 22 goto ct_set_cs2 comment "SSH"
ip6 daddr @xcloud6 udp dport { 1000-1150, 9002 } goto ct_set_af4 1 comment "Xbox Cloud Gaming IPv6"
-ash: tcp: not found
root@OpenWrt:~# ip daddr @xcloud udp dport { 1000-1150, 9002 } goto ct_set_af41
comment "Xbox Cloud Gaming"
Object "daddr" is unknown, try "ip help".
root@OpenWrt:~# ip6 daddr @xcloud6 udp dport { 1000-1150, 9002 } goto ct_set_af4
1 comment "Xbox Cloud Gaming IPv6"
-ash: ip6: not found
root@OpenWrt:~# ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50000-500
19 goto ct_set_ef comment "Microsoft Teams voice"
-ash: ip6: not found
root@OpenWrt:~# ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp
ort 3478-3481 udp sport 50000-50019 goto ct_set_ef comment "Microsoft Teams voic
e"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50020-500 39 goto ct_set_af41 comment "Microsoft Teams video"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp ort 3478-3481 udp sport 50020-50039 goto ct_set_af41 comment "Microsoft Teams vi deo"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50040-500 59 goto ct_set_af21 comment "Microsoft Teams sharing"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp ort 3478-3481 udp sport 50040-50059 goto ct_set_af21 comment "Microsoft Teams sh aring"
ip dscp != { cs0, cs6, cs7 } iifname != "wan" ip dscp vmap @dscp _ct
ip6 dscp != { cs0, cs6, cs7 } iifname != "wan" ip6 dscp vmap @ds cp_ct
meta l4proto != { tcp, udp } goto ct_set_cs0
ct mark set ct mark & 0xffffff80 | 0x00000080
}
Object "daddr" is unknown, try "ip help".
root@OpenWrt:~# ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50020-500
39 goto ct_set_af41 comment "Microsoft Teams video"
-ash: ip6: not found
root@OpenWrt:~# ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp
ort 3478-3481 udp sport 50020-50039 goto ct_set_af41 comment "Microsoft Teams vi
deo"
Object "daddr" is unknown, try "ip help".
root@OpenWrt:~# ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50040-500
59 goto ct_set_af21 comment "Microsoft Teams sharing"
-ash: ip6: not found
root@OpenWrt:~# ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dp
ort 3478-3481 udp sport 50040-50059 goto ct_set_af21 comment "Microsoft Teams sh
aring"
Object "daddr" is unknown, try "ip help".
root@OpenWrt:~# ip dscp != { cs0, cs6, cs7 } iifname != "wan" ip dscp vmap @dscp
_ct
Object "dscp" is unknown, try "ip help".
root@OpenWrt:~# ip6 dscp != { cs0, cs6, cs7 } iifname != "wan" ip6 dscp vmap @ds
cp_ct
-ash: ip6: not found
root@OpenWrt:~# meta l4proto != { tcp, udp } goto ct_set_cs0
-ash: meta: not found
root@OpenWrt:~# ct mark set ct mark & 0xffffff80 | 0x00000080
-ash: -ash: 0x00000080: not found
ct: not found
-ash: 0xffffff80: not found
root@OpenWrt:~# }
-ash: syntax error: unexpected "}"
root@OpenWrt:~#
[1]+ Done(127) ct mark set ct mark
root@OpenWrt:~#
That could be the cause.
Try the following steps:
- Delete or rename the config file /etc/config/dscpclassify.
- Download it again.
- Without making any changes to the original config file, restart dscpclassify:
service dscpclassify restart
- Check if there are now rules present in the static_classify chain.
login as: root
BusyBox v1.36.1 (2024-03-22 22:09:42 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.3, r23809-234f1a2efa
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# nft list table inet dscpclassify
table inet dscpclassify {
set threaded_clients {
type ipv4_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_clients6 {
type ipv6_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_services {
type ipv4_addr . ipv4_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
set threaded_services6 {
type ipv6_addr . ipv6_addr . inet_service . inet_proto
size 65535
flags dynamic,timeout
}
map ct_dscp {
type mark : verdict
elements = { 0x00000000 : goto dscp_set_cs0, 0x00000001 : goto dscp_set_le, 0x00000008 : goto dscp_set_cs1, 0x0000000a : goto dscp_set_af11, 0x0000000c : goto dscp_set_af12,
0x0000000e : goto dscp_set_af13, 0x00000010 : goto dscp_set_cs2, 0x00000012 : goto dscp_set_af21, 0x00000014 : goto dscp_set_af22, 0x00000016 : goto dscp_set_af23,
0x00000018 : goto dscp_set_cs3, 0x0000001a : goto dscp_set_af31, 0x0000001c : goto dscp_set_af32, 0x0000001e : goto dscp_set_af33, 0x00000020 : goto dscp_set_cs4,
0x00000022 : goto dscp_set_af41, 0x00000024 : goto dscp_set_af42, 0x00000026 : goto dscp_set_af43, 0x00000028 : goto dscp_set_cs5, 0x0000002c : goto dscp_set_va,
0x0000002e : goto dscp_set_ef, 0x00000030 : goto dscp_set_cs6, 0x00000038 : goto dscp_set_cs7 }
}
map ct_wmm {
type mark : verdict
elements = { 0x00000000 : goto dscp_set_cs0, 0x00000001 : goto dscp_set_le, 0x00000008 : goto dscp_set_cs1, 0x0000000a : goto dscp_set_cs0, 0x0000000c : goto dscp_set_cs0,
0x0000000e : goto dscp_set_cs0, 0x00000010 : goto dscp_set_cs0, 0x00000012 : goto dscp_set_cs3, 0x00000014 : goto dscp_set_cs3, 0x00000016 : goto dscp_set_cs3,
0x00000018 : goto dscp_set_cs4, 0x0000001a : goto dscp_set_cs4, 0x0000001c : goto dscp_set_cs4, 0x0000001e : goto dscp_set_cs4, 0x00000020 : goto dscp_set_cs4,
0x00000022 : goto dscp_set_cs4, 0x00000024 : goto dscp_set_cs4, 0x00000026 : goto dscp_set_cs4, 0x00000028 : goto dscp_set_cs5, 0x0000002c : goto dscp_set_cs6,
0x0000002e : goto dscp_set_cs6, 0x00000030 : goto dscp_set_cs7, 0x00000038 : goto dscp_set_cs7 }
}
map dscp_ct {
type dscp : verdict
elements = { cs0 : goto ct_set_cs0,
lephb : goto ct_set_le,
cs1 : goto ct_set_cs1,
af11 : goto ct_set_af11,
af12 : goto ct_set_af12,
af13 : goto ct_set_af13,
cs2 : goto ct_set_cs2,
af21 : goto ct_set_af21,
af22 : goto ct_set_af22,
af23 : goto ct_set_af23,
cs3 : goto ct_set_cs3,
af31 : goto ct_set_af31,
af32 : goto ct_set_af32,
af33 : goto ct_set_af33,
cs4 : goto ct_set_cs4,
af41 : goto ct_set_af41,
af42 : goto ct_set_af42,
af43 : goto ct_set_af43,
cs5 : goto ct_set_cs5,
va : goto ct_set_va,
ef : goto ct_set_ef,
cs6 : goto ct_set_cs6,
cs7 : goto ct_set_cs7 }
}
set xcloud {
type ipv4_addr
flags interval
auto-merge
elements = { 13.104.0.0/14 }
}
set xcloud6 {
type ipv6_addr
flags interval
auto-merge
elements = { 2603:1000::/24 }
}
chain dscp_set_cs0 {
ip dscp set cs0
ip6 dscp set cs0
}
chain dscp_set_le {
ip dscp set lephb
ip6 dscp set lephb
}
chain dscp_set_cs1 {
ip dscp set cs1
ip6 dscp set cs1
}
chain dscp_set_af11 {
ip dscp set af11
ip6 dscp set af11
}
chain dscp_set_af12 {
ip dscp set af12
ip6 dscp set af12
}
chain dscp_set_af13 {
ip dscp set af13
ip6 dscp set af13
}
chain dscp_set_cs2 {
ip dscp set cs2
ip6 dscp set cs2
}
chain dscp_set_af21 {
ip dscp set af21
ip6 dscp set af21
}
chain dscp_set_af22 {
ip dscp set af22
ip6 dscp set af22
}
chain dscp_set_af23 {
ip dscp set af23
ip6 dscp set af23
}
chain dscp_set_cs3 {
ip dscp set cs3
ip6 dscp set cs3
}
chain dscp_set_af31 {
ip dscp set af31
ip6 dscp set af31
}
chain dscp_set_af32 {
ip dscp set af32
ip6 dscp set af32
}
chain dscp_set_af33 {
ip dscp set af33
ip6 dscp set af33
}
chain dscp_set_cs4 {
ip dscp set cs4
ip6 dscp set cs4
}
chain dscp_set_af41 {
ip dscp set af41
ip6 dscp set af41
}
chain dscp_set_af42 {
ip dscp set af42
ip6 dscp set af42
}
chain dscp_set_af43 {
ip dscp set af43
ip6 dscp set af43
}
chain dscp_set_cs5 {
ip dscp set cs5
ip6 dscp set cs5
}
chain dscp_set_va {
ip dscp set va
ip6 dscp set va
}
chain dscp_set_ef {
ip dscp set ef
ip6 dscp set ef
}
chain dscp_set_cs6 {
ip dscp set cs6
ip6 dscp set cs6
}
chain dscp_set_cs7 {
ip dscp set cs7
ip6 dscp set cs7
}
chain ct_set_cs0 {
ct mark set ct mark & 0xffffff40 | 0x00000040
}
chain ct_set_le {
ct mark set ct mark & 0xffffff01 | 0x00000001
}
chain ct_set_cs1 {
ct mark set ct mark & 0xffffff08 | 0x00000008
}
chain ct_set_af11 {
ct mark set ct mark & 0xffffff0a | 0x0000000a
}
chain ct_set_af12 {
ct mark set ct mark & 0xffffff0c | 0x0000000c
}
chain ct_set_af13 {
ct mark set ct mark & 0xffffff0e | 0x0000000e
}
chain ct_set_cs2 {
ct mark set ct mark & 0xffffff10 | 0x00000010
}
chain ct_set_af21 {
ct mark set ct mark & 0xffffff12 | 0x00000012
}
chain ct_set_af22 {
ct mark set ct mark & 0xffffff14 | 0x00000014
}
chain ct_set_af23 {
ct mark set ct mark & 0xffffff16 | 0x00000016
}
chain ct_set_cs3 {
ct mark set ct mark & 0xffffff18 | 0x00000018
}
chain ct_set_af31 {
ct mark set ct mark & 0xffffff1a | 0x0000001a
}
chain ct_set_af32 {
ct mark set ct mark & 0xffffff1c | 0x0000001c
}
chain ct_set_af33 {
ct mark set ct mark & 0xffffff1e | 0x0000001e
}
chain ct_set_cs4 {
ct mark set ct mark & 0xffffff20 | 0x00000020
}
chain ct_set_af41 {
ct mark set ct mark & 0xffffff22 | 0x00000022
}
chain ct_set_af42 {
ct mark set ct mark & 0xffffff24 | 0x00000024
}
chain ct_set_af43 {
ct mark set ct mark & 0xffffff26 | 0x00000026
}
chain ct_set_cs5 {
ct mark set ct mark & 0xffffff28 | 0x00000028
}
chain ct_set_va {
ct mark set ct mark & 0xffffff2c | 0x0000002c
}
chain ct_set_ef {
ct mark set ct mark & 0xffffff2e | 0x0000002e
}
chain ct_set_cs6 {
ct mark set ct mark & 0xffffff30 | 0x00000030
}
chain ct_set_cs7 {
ct mark set ct mark & 0xffffff38 | 0x00000038
}
chain input {
type filter hook input priority filter + 2; policy accept;
iifname "lo" return
ct mark & 0x000000ff == 0x00000000 ct direction original jump static_classify
ct mark & 0x00000080 == 0x00000080 jump dynamic_classify
}
chain postrouting {
type filter hook postrouting priority filter + 2; policy accept;
oifname "lo" return
ct mark & 0x000000ff == 0x00000000 ct direction original jump static_classify
ct mark & 0x00000080 == 0x00000080 jump dynamic_classify
ct mark & 0x0000003f vmap @ct_dscp
}
chain static_classify {
meta l4proto { tcp, udp } th dport { 53, 853, 5353 } goto ct_set_cs5 comment "DNS"
meta l4proto { tcp, udp } ip6 daddr { 2001:4860:4860::8844, 2001:4860:4860::8888, 2606:4700:4700::1001, 2606:4700:4700::1111, 2620:fe::9, 2620:fe::11, 2620:fe::fe, 2620:fe::fe:11, 2a10:50c0::ad1:ff, 2a10:50c0::ad2:ff, 2a10:50c0::ded:ff } th dport 443 goto ct_set_cs5 comment "DoH"
meta l4proto { tcp, udp } ip daddr { 1.0.0.1, 1.1.1.1, 8.8.4.4, 8.8.8.8, 9.9.9.9, 9.9.9.11, 94.140.14.0/24, 149.112.112.11, 149.112.112.112 } th dport 443 goto ct_set_cs5 comment "DoH"
udp dport { 67, 68 } goto ct_set_cs5 comment "BOOTP/DHCP"
udp dport 123 goto ct_set_cs5 comment "NTP"
tcp dport 22 goto ct_set_cs2 comment "SSH"
ip daddr @xcloud udp dport { 1000-1150, 9002 } goto ct_set_af41 comment "Xbox Cloud Gaming"
ip6 daddr @xcloud6 udp dport { 1000-1150, 9002 } goto ct_set_af41 comment "Xbox Cloud Gaming IPv6"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50000-50019 goto ct_set_ef comment "Microsoft Teams voice"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dport 3478-3481 udp sport 50000-50019 goto ct_set_ef comment "Microsoft Teams voice"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50020-50039 goto ct_set_af41 comment "Microsoft Teams video"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dport 3478-3481 udp sport 50020-50039 goto ct_set_af41 comment "Microsoft Teams video"
ip6 daddr 2603:1063::/39 udp dport 3478-3481 udp sport 50040-50059 goto ct_set_af21 comment "Microsoft Teams sharing"
ip daddr { 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15 } udp dport 3478-3481 udp sport 50040-50059 goto ct_set_af21 comment "Microsoft Teams sharing"
ip dscp != { cs0, cs6, cs7 } iifname != "wan" ip dscp vmap @dscp_ct
ip6 dscp != { cs0, cs6, cs7 } iifname != "wan" ip6 dscp vmap @dscp_ct
meta l4proto != { tcp, udp } goto ct_set_cs0
ct mark set ct mark & 0xffffff80 | 0x00000080
}
chain dynamic_classify {
ct status & seen-reply != seen-reply return
ct direction reply goto dynamic_classify_reply
ip saddr . th sport . meta l4proto @threaded_clients goto threaded_client
ip6 saddr . th sport . meta l4proto @threaded_clients6 goto threaded_client
ip saddr . ip daddr & 255.255.255.0 . th dport . meta l4proto @threaded_services goto threaded_service
ip6 saddr . ip6 daddr & ffff:ffff:ffff:: . th dport . meta l4proto @threaded_services6 goto threaded_service
}
chain dynamic_classify_reply {
ct reply packets 1 jump established_connection
ip daddr . th dport . meta l4proto @threaded_clients goto threaded_client_reply
ip6 daddr . th dport . meta l4proto @threaded_clients6 goto threaded_client_reply
ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto @threaded_services goto threaded_service_reply
ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto @threaded_services6 goto threaded_service_reply
}
chain established_connection {
meter tc_detect size 65535 { ip daddr . th dport . meta l4proto timeout 5s limit rate over 9/minute } add @threaded_clients { ip daddr . th dport . meta l4proto timeout 30s }
meter tc_detect6 size 65535 { ip6 daddr . th dport . meta l4proto timeout 5s limit rate over 9/minute } add @threaded_clients6 { ip6 daddr . th dport . meta l4proto timeout 30s }
meter ts_detect size 65535 { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 5s limit rate over 2/minute } add @threaded_services { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 30s }
meter ts_detect6 size 65535 { ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto timeout 5s limit rate over 2/minute } add @threaded_services6 { ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto timeout 30s }
}
chain threaded_client {
meter tc_orig_bulk size 65535 { ip saddr . th sport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients { ip saddr . th sport . meta l4proto timeout 5m } goto ct_set_le
meter tc_orig_bulk6 size 65535 { ip6 saddr . th sport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients6 { ip6 saddr . th sport . meta l4proto timeout 5m } goto ct_set_le
}
chain threaded_client_reply {
meter tc_reply_bulk size 65535 { ip daddr . th dport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients { ip daddr . th dport . meta l4proto timeout 5m } goto ct_set_le
meter tc_reply_bulk6 size 65535 { ip6 daddr . th dport . meta l4proto timeout 5m limit rate over 9999 bytes/hour } update @threaded_clients6 { ip6 daddr . th dport . meta l4proto timeout 5m } goto ct_set_le
}
chain threaded_service {
ct original bytes < 1000000 return
update @threaded_services { ip saddr . ip daddr & 255.255.255.0 . th dport . meta l4proto timeout 5m }
update @threaded_services6 { ip6 saddr . ip6 daddr & ffff:ffff:ffff:: . th dport . meta l4proto timeout 5m }
goto ct_set_af13
}
chain threaded_service_reply {
ct reply bytes < 1000000 return
update @threaded_services { ip daddr . ip saddr & 255.255.255.0 . th sport . meta l4proto timeout 5m }
update @threaded_services6 { ip6 daddr . ip6 saddr & ffff:ffff:ffff:: . th sport . meta l4proto timeout 5m }
goto ct_set_af13
}
}
root@OpenWrt:~#
Ok, too slow... See, now you have default rules in the chain. Proceed and modify the rules to suit your needs, but do not use WinSCP. Instead, use a Linux editor of your choice, e.g., vim or install nano.
Then test again using tcpdump while gaming...
thanks much gonna do some testing
tcpdump udp port 3074 -i br-lan -v -n
09:55:47.640972 IP (tos 0x0, ttl 64, id 39154, offset 0, flags [none], proto UDP (17), length 46)
192.168.1.100.3074 > 45.32.188.25.42642: UDP, length 18
09:55:47.973760 IP (tos 0x80, ttl 42, id 26277, offset 0, flags [DF], proto UDP (17), length 57)
45.32.188.25.42642 > 192.168.1.100.3074: UDP, length 29
09:55:48.572157 IP (tos 0x0, ttl 64, id 31694, offset 0, flags [none], proto UDP (17), length 286)
192.168.1.100.3074 > 45.77.72.93.34261: UDP, length 258
09:55:48.618498 IP (tos 0x80, ttl 51, id 33750, offset 0, flags [DF], proto UDP (17), length 170)
45.77.72.93.34261 > 192.168.1.100.3074: UDP, length 142
09:55:48.618754 IP (tos 0x0, ttl 64, id 54370, offset 0, flags [none], proto UDP (17), length 67)
192.168.1.100.3074 > 45.77.72.93.34261: UDP, length 39
09:55:48.663838 IP (tos 0x80, ttl 51, id 33754, offset 0, flags [DF], proto UDP (17), length 51)
45.77.72.93.34261 > 192.168.1.100.3074: UDP, length 23
tcpdump udp port 3074 -i wan -v -n
10:00:02.346983 IP (tos 0x80, ttl 63, id 56815, offset 0, flags [none], proto UDP (17), length 286)
192.168.100.2.3074 > 45.77.72.93.34311: UDP, length 258
10:00:02.393010 IP (tos 0x48, ttl 52, id 3843, offset 0, flags [DF], proto UDP (17), length 170)
45.77.72.93.34311 > 192.168.100.2.3074: UDP, length 142
10:00:02.393318 IP (tos 0x80, ttl 63, id 65507, offset 0, flags [none], proto UDP (17), length 67)
192.168.100.2.3074 > 45.77.72.93.34311: UDP, length 39
10:00:02.438487 IP (tos 0x48, ttl 52, id 3850, offset 0, flags [DF], proto UDP (17), length 51)
45.77.72.93.34311 > 192.168.100.2.3074: UDP, length 23
10:00:08.918314 IP (tos 0x80, ttl 63, id 48158, offset
its working please confirm..and what about the 0x48 why is some still be tagged like that on the upload
tos 0x80 = cs4
See here:
Tucny
In this example, packets entering br-lan on port 3074 are marked with CS4, which is correct.
Packets leaving your WAN are also marked with CS4. So it seems to be working now...
These are incoming packets on your WAN. They could be coming from your ISP router, your ISP itself, or you have defined rules for it... These should actually be overwritten (in this case) by restoring the DSCP from conntrack, which is what dscpclassify does with the help of tc and ctinfo.
thanks a million
I have an issue where using this disables my wifi. Is there anything i should modify?
It would be very interesting if Dscp Classify had prioritization like the model below, but if I'm talking nonsense, please correct me.
config rule
option name 'CallofDutyWarzone'
option proto 'udp'
option dest_port '3074'
option class 'cs4'
option priority '-400'
option src_ip '192.168.1.239'
option counter '1'
Yes you are...
In nftables, the 'priority' option is used for ordering rules, not for prioritizing traffic. The actual traffic prioritization is handled by DSCP.
@yelreve Hey Jack! Does this support the option loadfile
mechanism/syntax like in /etc/config/firewall
?
For example:
config ipset 'nextdns_hosts_4'
option name 'nextdns_hosts_4'
option family 'ipv4'
option match 'net'
option loadfile '/var/ipset-nextdns_hosts_4'
config ipset 'nextdns_hosts_6'
option name 'nextdns_hosts_6'
option family 'ipv6'
option match 'net'
option loadfile '/var/ipset-nextdns_hosts_6'
Edit 1:
Looks like a no-go at this point:
root@OpenWrt:~# /etc/init.d/dscpclassify restart
In file included from /etc/dscpclassify.d/main.nft:124:1-45:
/tmp/etc/dscpclassify-post.include:18:103-118: Error: No such file or directory; did you mean set ‘nextdns_hosts_6’ in table inet ‘fw4’?
insert rule inet dscpclassify static_classify meta nfproto { ipv6 } meta l4proto { tcp } ip6 daddr @nextdns_hosts_6 th dport { 443 } goto ct_set_cs5 comment "NextDNS6"
^^^^^^^^^^^^^^^^
In file included from /etc/dscpclassify.d/main.nft:124:1-45:
/tmp/etc/dscpclassify-post.include:19:102-117: Error: No such file or directory; did you mean set ‘nextdns_hosts_4’ in table inet ‘fw4’?
insert rule inet dscpclassify static_classify meta nfproto { ipv4 } meta l4proto { tcp } ip daddr @nextdns_hosts_4 th dport { 443 } goto ct_set_cs5 comment "NextDNS4"
^^^^^^^^^^^^^^^^
@_FailSafe Not currently, but we could explore adding this without needing much in the way of rework.
I could possibly have a look at this later in the week (currently juggling a fair bit), but if you fancy having a look and making a PR yourself then I'd be happy to review and commit any enhancements
Right on--no worries! I'm not looking to add more onto your plate(s) at the moment. I currently have re-created these ipsets statically within the dscpclassify config, and that is working fine. Given that these ipset files are dynamically generated onto the disk by ipset definitions within DHCP/DNS settings, being able to re-use the files already on-disk would be pretty handy.
I'll take a look at potentially adding some code to handle this, but I'm kind of rusty and it might be ugly.
Thanks and take care, man!
Update 1:
@yelreve I took a bit to look into this tonight and thought I had a pretty decent gameplan cooked up, but keep hitting a "Permission denied" error when attempting to read (same issue with both cat
and read -r
routes) the existing ipset files. Apparently, despite running as root
, this seems to be a frowned upon type of action from rc.local/procd. Looking for alternate routes, but coming up short at the moment.
Error:
root@OpenWrt:~# ls -la /tmp/ipset-nextdns_hosts_4
-rw-r--r-- 1 root root 213 Jul 21 21:00 /tmp/ipset-nextdns_hosts_4
root@OpenWrt:~# /etc/init.d/dscpclassify start
/etc/rc.common: eval: line 359: /tmp/ipset-nextdns_hosts_4: Permission denied
Is anyone interested in a script that displays the current nf_conntrack counts, grouped by mark type?
e.g.:
root@OpenWrt:~# /root/utility/get_conntrack_marks.sh
>>>>>>> IPv6 ToS Marks <<<<<<<
3 dec=0 | hex=0x0
237 dec=40 | hex=0x28
163 dec=128 | hex=0x80
>>>>>>> IPv4 ToS Marks <<<<<<<
36 dec=0 | hex=0x0
1 dec=1 | hex=0x1
2 dec=16 | hex=0x10
4 dec=18 | hex=0x12
2 dec=34 | hex=0x22
110 dec=40 | hex=0x28
4 dec=46 | hex=0x2e
4 dec=64 | hex=0x40
150 dec=128 | hex=0x80
If so, here's the script:
get_conntrack_marks.sh
#!/bin/sh
# ToS Conversion Chart: https://bytesolutions.com/dscp-tos-cos-presidence-conversion-chart/
echo ""
echo ">>>>>>> IPv6 ToS Marks <<<<<<<"
grep ^ipv6 /proc/net/nf_conntrack | grep -oE "mark=[0-9]+ " | cut -d'=' -f2 | sort -V | while read line; do printf 'dec=%d | hex=0x%x\n' $line $line; done | uniq -c
echo ""
echo ">>>>>>> IPv4 ToS Marks <<<<<<<"
grep ^ipv4 /proc/net/nf_conntrack | grep -oE "mark=[0-9]+ " | cut -d'=' -f2 | sort -V | while read line; do printf 'dec=%d | hex=0x%x\n' $line $line; done | uniq -c
echo ""
Good day, I encountered some issue right now, by capturing packets tcpdump/wireshark on wan ssh root@192.168.0.1 tcpdump -i wan -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
I'm getting af31 in random ports even though that I do not dscp mark in any of these ports in my config. I never encountered it when capturing to br-lan. My question is can I put wash into the egress?
Sure, that is its main purpose to allow DSCPs locally without leaking these into the ISP network.
I note some applications will simply opt to set af31 by themserlves. However I would expect these to also show on br-lan, UNLESS these come from traffic between the router and the internet (so where the router itself is the ends point).
so its totally not needed to dscp marks traffic between the router and the internet (?) and leave it as is
In all likelihood your ISP is just going to ignore any DSCPs you set and sent their way, or remarking them or treating them to slightly more delay and jitter... unless you have a service level agreement in place in which your ISPs (which would likely cost money and so you would know).