DSCP Classify - a service for applying DSCP to connections

I still have traffic in the video class and I only have one rule

root@OpenWrt:~# tc -s qdisc
qdisc noqueue 0: dev lo root refcnt 2
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc cake 800d: dev eth0 root refcnt 6 bandwidth 17Mbit diffserv4 dual-srchost                                                                                                                                                                                                nat nowash ack-filter split-gso rtt 100ms noatm overhead 22
 Sent 243721080 bytes 1215038 pkt (dropped 67866, overlimits 1152712 requeues 90                                                                                                                                                                                               )
 backlog 0b 0p requeues 90
 memory used: 650452b of 4Mb
 capacity estimate: 17Mbit
 min/max network layer size:           28 /    1500
 min/max overhead-adjusted size:       50 /    1522
 average network hdr offset:           14

                   Bulk  Best Effort        Video        Voice
  thresh       1062Kbit       17Mbit     8500Kbit     4250Kbit
  target         17.1ms          5ms          5ms          5ms
  interval        112ms        100ms        100ms        100ms
  pk_delay          0us        180us          6us         18us
  av_delay          0us         23us          0us          3us
  sp_delay          0us          1us          0us          1us
  backlog            0b           0b           0b           0b
  pkts                0      1280925           82         1897
  bytes               0    248483453         7380        97690
  way_inds            0        15964            0           69
  way_miss            0        35702           82          384
  way_cols            0            0            0            0
  drops               0          223            0            0
  marks               0            0            0            0
  ack_drop            0        67643            0            0
  sp_flows            0            1            1            0
  bk_flows            0            1            0            0
  un_flows            0            0            0            0
  max_len             0        14740           90          329
  quantum           300          518          300          300

qdisc ingress ffff: dev eth0 parent ffff:fff1 ----------------
 Sent 4965741340 bytes 4831381 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc fq_codel 0: dev eth1 root refcnt 2 limit 10240p flows 1024 quantum 1514 ta                                                                                                                                                                                               rget 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
 Sent 7342838106 bytes 5942565 pkt (dropped 0, overlimits 0 requeues 2)
 backlog 0b 0p requeues 2
  maxpacket 1406 drop_overlimit 0 new_flow_count 18 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc fq_codel 0: dev eth2 root refcnt 2 limit 10240p flows 1024 quantum 1514 ta                                                                                                                                                                                               rget 5ms interval 100ms memory_limit 4Mb ecn drop_batch 64
 Sent 1481721382 bytes 1237054 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 1330 drop_overlimit 0 new_flow_count 11 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev br-lan root refcnt 2
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc cake 800e: dev ifb4eth0 root refcnt 2 bandwidth 90Mbit diffserv4 dual-dsth                                                                                                                                                                                               ost nat nowash ingress no-ack-filter split-gso rtt 100ms noatm overhead 22
 Sent 5031650241 bytes 4826481 pkt (dropped 4900, overlimits 6775916 requeues 0)                                                                                                                                                                                               
 backlog 0b 0p requeues 0
 memory used: 3168893b of 4500000b
 capacity estimate: 90Mbit
 min/max network layer size:           46 /    1500
 min/max overhead-adjusted size:       68 /    1522
 average network hdr offset:           14

                   Bulk  Best Effort        Video        Voice
  thresh       5625Kbit       90Mbit       45Mbit    22500Kbit
  target            5ms          5ms          5ms          5ms
  interval        100ms        100ms        100ms        100ms
  pk_delay         23us       11.9ms         23us         49us
  av_delay          1us       9.82ms          1us          2us
  sp_delay          1us        192us          1us          0us
  backlog            0b           0b           0b           0b
  pkts              321      4132972           83       698005
  bytes           19701   4992705421         7446     46086070
  way_inds            0        39508            0            0
  way_miss          261        33473           83          375
  way_cols            0            0            0            0
  drops               0         4900            0            0
  marks               0            6            0            0
  ack_drop            0            0            0            0
  sp_flows            1            1            1            1
  bk_flows            0            1            0            0
  un_flows            0            0            0            0
  max_len           189        10598           90          365
  quantum           300         1514         1373          686

root@OpenWrt:~#

Following up on a similar question from @N1K...

Is there a good way to change the mark of ingress traffic from CS1 to CS0? Being a Comcast customer, I get a lot of traffic they have marked CS1. Essentially, traffic coming in marked CS1 stays that way if there was no existing conntrack mark known to dscpclassify.

i started something here yesterday click

Comcast has recently investigated that matter, with help from this forum. I would guess they are interested in your feedback whether that fix does work, assuming it is deployed already.
See:

and re-check whether the issue still exists, if yes, maybe write a PN to @jlivingood (it is rare that someone of the caliber of Jason Livingood gets involved in such low level details, so ComCast really seems to care about that issue).

Definitely still an issue today. I'll temporarily revert to layer_cake and besteffort ingress since a proper upstream fix appears to be on the way. Thanks for the information.

while playing COD I was getting data bursts and data loss and it looks like on the other side of my network someone was updating windows shouldn't this trigger the "Dynamic classification" service?

something else when I edit the rules they don't change, I tried restarting and nothing.

Is there any way to use DNS addresses with dscpclassify. I'd love to be able to move all traffic to/from any server with 'youtube' in the name to a lower priority. Is that possible?

After some googling, it seems like a nftset is needed to do what I want. I'm not sure if this process can be simplified vs using dnsmasq directly (or maybe it is already simplified - I have hard time finding everything fw4 syntax allows) but I did notice that the stripped down version of dnsmasq that comes with openwrt has 'no-conntrack'. Does this mean dscpclassify needs to use dnsmasq-full to function properly? I know I need dnsmasq-full to get access to 'nftset'.

dnsmasq -v
Dnsmasq version 2.89  Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

Regarding backup, which additional directories do i need to add into the backup list?
These should be okay right?

/etc/dscpclassify.d
/etc/hotplug.d/iface/21-dscpclassify
/etc/init.d/dscpclassify
/usr/lib/sqm/layer_cake_ct.qos
/usr/lib/sqm/layer_cake_ct.qos.help

Hello my friend, remember me, you told me you would help me with this dscpclassify configuration, I did everything the tutorial asked, but nothing worked for me, I need help, I'm still new to the subject. Thank you very much in advance

Dopan, I wanted to know how you can see the dscp of port 3074, because when I'm using wireshark and I open the CodWarzone game, it simply doesn't open, so I don't know if it's really marking my game.

First of all, please read through the Readme of dscpclassify on github so you get a better understanding of what it does.

The next step is very important: If you have been using qosify before you will have to disable the qosify service and then restart your router.

service qosify disable
reboot

Then, you have two options for installing dscpclassify:

1. You can install dscpclassify as instructed on the readme. Drawback here is you will probably have to reinstall the service every time you update your openwrt router. Also, to not lose your config files/folders after updating it’s best if you include all files from the service in your /etc/sysupgrade.conf

2. (Advanced users) You can grab the makefile from github and build your own custom OpenWrt image from source with dscpclassify baked in. That’s how I do it.

If the service is installed you have to edit /etc/config/dscpclassify:
For Cod you actually only need this line:

config rule
    option name 'Cod2'
    option proto 'udp'
    option dest_port '30000-65535'
    option src_port '3074'
    option src_ip '192.168.1.208'   
    option class 'cs4'
    option counter '1'

This makes all Cod gaming packets go into the cake Voice tin (if you use diffserv4) which we will set up with sqm in the next step...
If you want my full config here you go (also there are good examples in the default config):

config global 'global'
	option class_bulk 'le'
	option class_high_throughput 'af13'
	option client_hints '1'
	option threaded_client_min_bytes '10000'
	option threaded_service_min_bytes '1000000'
	option wmm '0'

config rule
	option name 'iot'
	list proto 'tcp'
	list proto 'udp'
	option src_ip '192.168.15.0/24'	
	option class 'cs1'
	option counter '1'

config rule
	option name 'iot'
	list proto 'tcp'
	list proto 'udp'
	option dest_ip '192.168.15.0/24'	
	option class 'cs1'
	option counter '1'	

config set
	option name 'DowngradeServer'
	option family 'ipv4'
	option interval '1'
	list entry '192.168.1.50' 
	list entry '192.168.1.66' 	
	list entry '192.168.1.77' 
	list entry '192.168.1.123' 	

config rule
	option name 'DowngradeServer'
	list proto 'tcp'
	list proto 'udp'
	option src_ip '@DowngradeServer'
	option class 'cs1'
	option family 'ipv4'	
	option counter '1'			

config rule
	option name 'DNS'
	list proto 'tcp'
	list proto 'udp'
	list dest_port '53'
	list dest_port '853'
	list dest_port '5353'
	list dest_port '54'
	option class 'cs3'
	option counter '1'

config rule
	option name 'NTP'
	option proto 'udp'
	option dest_port '123'
	option class 'cs3'
	option counter '1'	

config rule
	option name 'SSH'
	option proto 'tcp'
	option dest_port '22'
	option class 'cs2'
	option counter '1'

config rule
	option name 'Cod TCP'
	option proto 'tcp'
	option src_port '3074'
	option class 'cs3'
	option src_ip '192.168.1.208'
	option counter '1'

config rule
	option name 'Cod TCP 2'
	option proto 'tcp'
	option dest_port '3074'
	option class 'cs3'
	option src_ip '192.168.1.208'
	option counter '1'

config rule
	option name 'Cod UDP'
	option proto 'udp'
	option dest_port '30000-65535'
	option src_port '3074'
	option src_ip '192.168.1.208'	
	option class 'cs4'
	option counter '1'

config rule
	option name 'xdefiant'
	option proto 'udp'
	option dest_port '22000-22020'
	option src_ip '192.168.1.208'	
	option class 'cs4'
	option counter '1'


#config rule
#	option name 'waveformtest'
#	list proto 'tcp'
#	list proto 'udp'
#	option dest_port '443'
#	option src_ip '192.168.1.208'	
#	option class 'cs4'
#	option counter '1'

#config rule
#    option name 'udp gaming'
#    option proto 'udp'
#    option src_ip '192.168.1.208'
#	list dest_port '!80'
#	list dest_port '!443'
#	option class 'af41'
#    option family 'ipv4'
#	option counter '1'	

config rule
	option name 'DirectAccesWork'
	option proto 'tcp'
	option dest_port '443'
	option src_ip '192.168.1.190'	
	option class 'cs3'
	option counter '1'

config rule
	option name 'TeamViewer'
	option proto 'tcp'
	option dest_port '5938'
	option src_ip '192.168.1.190'	
	option class 'cs3'
	option counter '1'

config rule
	option name 'ICMP'
	option proto 'icmp'
	option class 'cs3'
	option enabled '1'
	option counter '1'

Then you will have to setup sqm for your wan interface with your appropriate speeds. The important part here is to use “cake” + “layer_cake_ct.qos” under queue discipline.

Just for reference. Here is my sqm config:

config queue 'eth1'
	option debug_logging '0'
	option verbosity '5'
	option qdisc_advanced '1'
	option ingress_ecn 'ECN'
	option egress_ecn 'ECN'
	option qdisc_really_really_advanced '1'
	option interface 'eth1'
	option qdisc 'cake'
	option script 'layer_cake_ct.qos'
	option squash_ingress '0'
	option squash_dscp '0'
	option linklayer 'ethernet'
	option download '90000'
	option enabled '1'
	option iqdisc_opts 'nat dual-dsthost ingress diffserv4 rtt 25ms wash'
	option eqdisc_opts 'nat dual-srchost diffserv4 rtt 25ms'
	option upload '45000'
	option overhead '44'
	option linklayer_advanced '1'
	option tcMTU '2047'
	option tcTSIZE '128'
	option tcMPU '64'
	option linklayer_adaptation_mechanism 'default'

Then you should be good to go!

You can check if dscpclassify is working by entering the following command and checking if the packet counters rise:

nft list chain inet dscpclassify static_classify

Or just go to Luci Status/Firewall and search for your rules

Cod shuts down every time you use wireshark. That’s how it always has been.

You can just install and use tcpdump on your router to inspect your packets. Here are a few examples. Make sure to use the ip of the gaming device and the corresponding interface.

## Whole traffic
tcpdump host 192.168.1.208 -i br-lan -v -n

or

tcpdump host 192.168.1.208 -i eth1 -v -n

## Only udp traffic on port 3074
tcpdump udp port 3074 -i br-lan -v -n

## Save the output to a pcap file on /temp on your router. Then you can copy it to your pc and open it with wireshark
tcpdump host 192.168.1.208 -i br-lan -w /tmp/capturefile.pcap

One more addition, if you only have one computer you can use screen on the router to be able to let tcpdump running while you log out:
opkg update ; opkg install screen
then log in via SSH and use the following command to create a new screen session:
screen -RR tcpdump # note tcpdump is an arbitrary name you can change as you like

start tcpdump these, then use CTR-a-d to detach that session, if you call screen -RR tcpdump again you will be back at the running prompt...
That can occasionally be quite useful

hi ! yes you can use the config of hudra i sugere to take the repo here the most recent and update Ldir

Hydra, I always reset my router to new settings, I think it's better.

Of course, you can reset your router every time you try something new but you don’t have to if you just want to try out dscpclassify and also this is not what I meant. What I actually meant is if you are using qosify now and you then want to try out dscpclassify + sqm you have to restart your router.
There is a bug with qosify. Not all tc parameters get flushed/removed when the service is disabled. If I remember correctly “tc clsact” on ingress does not get removed. You can do it manually but disabling qosify and then rebooting solves this issue. I wanted to open a github issue but I forgot about it.

But I wanted to see if my dscp is actually being marked with cs4 and it seems that tcpdump doesn't show this, or am I mistaken

Tcpdump shows the tos value 0x80 = cs4

https://www.tucny.com/Home/dscp-tos