I've made several changes to the script that should further simplify the setup and logic of the script and pushed them to my github repo.
In addition to fixing a few bugs, I've implemented a new method for shaping inbound traffic (ingress) without the need for a virtual Ethernet (veth) interface, and it works even when there are multiple ports/bridges/including Wi-Fi on the LAN side,. This new method uses tc-ctinfo.
Simply put, DSCP markings are saved in conntrack during upload (egress) and then restored during download (ingress). This new way of shaping download traffic could potentially make the veth method and the method where traffic control is applied directly on the LAN interface obsolete. However, the function that allows me to easily store the DSCPs in conntrack:
ct mark set ip dscp or 128 counter
only works from nftables version 1.0.8 onwards, and since I don't know if every user has this version yet, there are now three options for shaping download traffic:
DOWNSHAPING_METHOD="ctinfo" # Options: "veth", "ctinfo", "lan"
The init script should ideally check whether kmod-sched-ctinfo is installed at startup. To determine whether your version of nftables is compatible, you can execute the following command: nft --version
Ctinfo should even work if DSCPs are being washed during upload or download. At least it did when I tested it...
Special thanks to @Lynx. cake-qos-simple was a big help.