Help me update my HFSC shaper scripts for fw4/nftables

It seems like your CPU is maxing out with CAKE. In my tests, HFSC wasn't as resource-intensive as CAKE...

I'm sorry, but I think I'm running out of ideas...

Here are a few things you can still try:

• Double-check if everything is configured correctly. Also, if still present, delete the veth interface and reboot the router.
• I noticed you're not using the latest version of OpenWrt. Update to the latest stable release.
• Your network configuration doesn't seem to be the default. You might want to reset your router and see if the script works with default settings. If it does, you can gradually set up your network again.
• It's also possible that you're running out of RAM...

Ill do that real quick and let you know.I just need help setting up br-lan with a vlan and a wifi instead of having them seperate like this:

image953×357 19.4 KB

Please open a separate thread if you need help setting up your network...

This is how my interface is looking atm:

image954×327 20 KB

Can you help me understand one thing? Lets say i play rocket league on epic games, and i want to help this script understand that i need the lowest latency possible for this game, i already put my PC's IP as a REALTIME4. What should i do next?

on the step 6, i get the following. hfscscript not found

root@OpenWrt:~# service SimpleHFSCgamerscript start
grep: /etc/config/hfscscript: No such file or directory
Adding global configuration section...
sed: /etc/config/hfscscript: No such file or directory
Global configuration section added.
grep: /etc/config/hfscscript: No such file or directory
Adding enabled option to global section...
sed: /etc/config/hfscscript: No such file or directory
Enabled option added.
/etc/SimpleHFSCgamerscript.sh: line 44: syntax error: unexpected "("
Network configuration successfully completed.
sed: /etc/config/hfscscript: No such file or directory
root@OpenWrt:~#

also i presume my lan int is: lan1

image491×608 8.69 KB

If you want to understand the script, please read the readme as I've mentioned multiple times. There's a whole section called "What this script does". But let me break it down for you in simpler terms.

Imagine you're managing traffic on a busy highway. This script is like a smart traffic control system for your internet connection. It sets up special lanes (we call them queues) for different types of internet traffic on your network.
The most important lane is reserved for online gaming. It's like a VIP lane for specific gaming devices you choose. This ensures your games run smoothly without lag or interruptions.
Then there are four other lanes for different types of internet activities:

1. A fast lane for things like video calls etc..
2. A normal lane for everyday web browsing.
3. A lane for downloads that can pause if other traffic needs to go through.
4. A slow lane for activities that aren't time-sensitive, like overnight file sharing.

The cool thing is, when there's not much traffic, all traffic can use the full highway. But when it gets busy, the system makes sure important traffic (like your games) always has room to move quickly.

To ensure your gaming packets are directed to the realtime queue, you need to add your gaming device's IP address to either:

REALTIME4=
or
REALTIME6=

… depending on the IP protocol you're using. This configuration sends all UDP packets (which most games use rather than TCP) to the realtime queue, eliminating the need to prioritize specific ports used by your game.

This approach works particularly well for gaming consoles, where there's typically little UDP traffic other than gaming occurring simultaneously.

However, for PC gaming (which applies to your situation), this method can be counterproductive. PCs often have more background traffic, and some applications, like YouTube videos, use the QUIC protocol, which relies on UDP. If you're gaming on a PC while streaming YouTube music or videos, the YouTube traffic might end up in your realtime queue, consuming your bandwidth and potentially causing game lag.

To address this issue, you can add manual rules via the hfscscript config, as described here: https://github.com/hudra0/routerperf#custom-dscp-marking-rules

Important: If you decide to use custom DSCP marking rules, make sure to remove your gaming device's IP address from the REALTIME variable.

In general for high speed connections the realtime bandwidth should be around 10-15% of your bandwidth or less... But when your connections are slow (like your upload), we need them to be at least what the game actually needs. As a guideline, Call Of Duty used about 160kbps upstream and 320kbps downstream (I think it’s actually more now), so a good baseline is about double that each direction. By default we do something smart but you can adjust the script if needed, depending on the game you play. If you want to manually adjust, just set:

#GAMEUP=$((UPRATE*15/100+400))
#GAMEDOWN=$((DOWNRATE*15/100+400))

## you can try setting GAMEUP and GAMEDOWN manually, some report this works well for CoD
GAMEUP=400
GAMEDOWN=800

... as a starting point and evaluate how your game performs. Pay attention to your in-game ping and overall gameplay experience.

I bypass my issue with

/etc/SimpleHFSCgamerscript.sh
upon adding "#" on both of those lines:

#GAMEUP=$ "#"((UPRATE*15/100+400))
#GAMEDOWN=$ "#"((DOWNRATE*15/100+400))

Can you show me how you setup the script. Just show me the output of:

sed -n '1,/^#*\s*CUSTOMIZATIONS GO ABOVE THIS LINE\s*#*$/p' /etc/SimpleHFSCgamerscript.sh | sed '/^\s*$/d'

These lines are commented anyways...

#!/bin/sh

##############################
# General settings
##############################
# "atm" for old-school DSL, "DOCSIS" for cable modem, or "other" for anything else
LINKTYPE="ethernet" 
WAN=usb0 # Change this to your WAN device name
LAN=eth0 # Change to your LAN device if you don't use veth/bridge, leave it alone if you use veth
DOWNRATE=9000 # Change this to about 80% of your download speed (in kbps)
UPRATE=4000 # Change this to your kbps upload speed
OH=44 # Number of bytes of Overhead on your line
PRESERVE_CONFIG_FILES="yes"  # Set to "yes" to preserve, "no" to ignore during sysupgrade

##############################
# Downstream shaping method
##############################
DOWNSHAPING_METHOD="lan" # Options: "veth", "ctinfo", "lan"

## "ctinfo"  Uses connection tracking information to restore DSCP markings on incoming packets
## "veth" Utilizes a virtual Ethernet pair to control incoming traffic
## "lan" Applies traffic shaping directly on the LAN interface, (ideal) for environments with a single interface directed towards the LAN. 

##############################
# Veth-specific settings (only adjust if using the Veth setup)
##############################
LANBR=br-lan # LAN bridge interface name, only relevant if USEVETHDOWN is set to "yes"

##############################
# Performance settings
##############################

BWMAXRATIO=20 ## prevent ack floods by limiting download to at most
	      ## upload times this amount... ratio somewhere between
	      ## 10 and 20 probably optimal. we down-prioritize
	      ## certain ACKs to reduce the chance of a flood as well.

if [ $((DOWNRATE > UPRATE*BWMAXRATIO)) -eq 1 ]; then
    echo "We limit the downrate to at most $BWMAXRATIO times the upstream rate to ensure no upstream ACK floods occur which can cause game packet drops"
    DOWNRATE=$((BWMAXRATIO*UPRATE))
fi

## how many kbps of UDP upload and download do you need for your games across all gaming machines? 

## you can tune these yourself, but a good starting point is this formula. this script will not work for UPRATE less than about
## 600kbps or downrate less than about 1000kbps

GAMEUP=400 #((UPRATE*15/100+400))
GAMEDOWN=800 #((DOWNRATE*15/100+400))

## you can try setting GAMEUP and GAMEDOWN manually, some report this works well for CoD
#GAMEUP=400
#GAMEDOWN=800


##############################
# Qdisc selection
##############################

## Right now there are four possible leaf qdiscs: pfifo, red,
## fq_codel, or netem. If you use netem it's so you can intentionally
## add delay to your packets, set netemdelayms to the number of ms you
## want to add each direction. Our default is pfifo it is reported to
## be the best for use in the realtime queue

gameqdisc="pfifo"

#gameqdisc="netem"

##############################
# pfifo Qdisc Settings
##############################

# pfifo (Packet FIFO) is utilized for maintaining low latency and minimal packet loss,
# particularly suited for real-time applications like gaming. It operates by queuing packets
# in a first-in-first-out manner without any packet classification, ensuring fairness
# and simplicity in packet delivery.

PFIFOMIN=5 ## Minimum number of packets in pfifo
PACKETSIZE=450 # Bytes per game packet avg
MAXDEL=25 # Ms we try to keep max delay below for game packets after burst

##############################
# netem Qdisc Settings (Optional)
##############################

# netem (Network Emulator) is a tool for testing network conditions by simulating
# latency, packet loss, jitter, and other network phenomena. It's primarily used
# for testing and is not recommended for active gaming sessions as it intentionally
# introduces delay and variability to mimic different network conditions.

netemdelayms="1"
netemjitterms="7"
netemdist="normal"

pktlossp="none" # set to "none" for no packet loss, or use a fraction
		# like 0.015 for 1.5% packet loss in the realtime UDP
		# streams

#############################

if [ $gameqdisc != "fq_codel" -a $gameqdisc != "red" -a $gameqdisc != "pfifo" -a $gameqdisc != "netem" ]; then
    echo "Other qdiscs are not tested and do not work on OpenWrt yet anyway, reverting to red"
    gameqdisc="red"
fi
#############################

##############################
# Port/IP settings for traffic categorization
##############################

## Help the system prioritize your gaming by telling it what is bulk
## traffic ... define a list of udp and tcp ports used for bulk
## traffic such as torrents. By default we include the transmission
## torrent client default port 51413 and the default TCP ports for
## bittorrent. Use comma separated values or ranges A:B as shown. Set
## your torrent client to use a known port and include it here

UDPBULKPORT="51413"
TCPBULKPORT="51413,6881-6889"
VIDCONFPORTS="10000,3478-3479,8801-8802,19302-19309,5938,53"
REALTIME4="192.168.1.2" # example, just add all your game console here
REALTIME6="fd90::129a" ## example only replace with game console
LOWPRIOLAN4="192.168.109.2" # example, add your low priority lan machines here
LOWPRIOLAN6="fd90::129a" ## example, add your low priority lan ipv6 PUBLIC addr here

# Set the ACK rate to 5% of the upload bandwidth. This allocation helps ensure that ACK packets,
# which are essential for maintaining smooth TCP connections, do not overwhelm the network.
# By limiting ACK traffic to a small percentage of the total bandwidth, we prevent these packets
# from interfering with higher priority gaming traffic, thus reducing latency and improving
# overall network performance during gaming sessions.
ACKRATE="$(($UPRATE * 5 / 100))" # auto moode - or set manual
#ACKRATE="300"  ## 300-600 ist a good starting point - or leave blank to disable

FIRST500MS=$((DOWNRATE * 500 / 8)) # downrate * 500/8
FIRST10S=$((DOWNRATE * 10000 / 8)) # downrate * 10000/8

# Control whether to limit UDP traffic going faster than 450 pps
UDP_RATE_LIMIT_ENABLED="yes"  # Set to "yes" to enable or "no" to disable

##############################
#  Traffic washing settings
##############################

WASHDSCPUP="yes"
WASHDSCPDOWN="yes"

######################################## CUSTOMIZATIONS GO ABOVE THIS LINE ###############################################
##########################################################################################################################

Also please stop posting configs as screenshots. You can just show us your config as a preformatted text...

• edit /etc/hfscscript to add any additional rules you want to use for custom DSCP tagging - examples are in the config

file not found on that location

This seems wrong... shouldn't be the same interface. if this is your real wan interface leave it and remove the LAN variable (leave it blank) as you don't need it when you are using ctinfo...

Please use "ctinfo" as downshaping method

Do you get any output when you start the script?

 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc fq_codel 8029: dev eth0 parent 1:12 limit 10240p flows 1024 quantum 3000 target 4ms interval 102ms memory_limit 225000b ecn drop_batch 64
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc pfifo 10: dev eth0 parent 1:11 limit 67p
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc fq_codel 802a: dev eth0 parent 1:13 limit 10240p flows 1024 quantum 3000 target 4ms interval 102ms memory_limit 225000b ecn drop_batch 64
 Sent 162 bytes 1 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 162 drop_overlimit 0 new_flow_count 1 ecn_mark 0
  new_flows_len 1 old_flows_len 0
qdisc fq_codel 802c: dev eth0 parent 1:15 limit 10240p flows 1024 quantum 3000 target 4ms interval 102ms memory_limit 225000b ecn drop_batch 64
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev lan1 root refcnt 2
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan2 root refcnt 2
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc noqueue 0: dev lan3 root refcnt 2
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc hfsc 1: dev usb0 root refcnt 2 default 13
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc fq_codel 8026: dev usb0 parent 1:13 limit 10240p flows 1024 quantum 3000 target 5ms interval 106ms memory_limit 100000b ecn drop_batch 64
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc pfifo 10: dev usb0 parent 1:11 limit 32p
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc fq_codel 8028: dev usb0 parent 1:15 limit 10240p flows 1024 quantum 3000 target 5ms interval 106ms memory_limit 100000b ecn drop_batch 64
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc fq_codel 8025: dev usb0 parent 1:12 limit 10240p flows 1024 quantum 3000 target 5ms interval 106ms memory_limit 100000b ecn drop_batch 64
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc fq_codel 8027: dev usb0 parent 1:14 limit 10240p flows 1024 quantum 3000 target 5ms interval 106ms memory_limit 100000b ecn drop_batch 64
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0
qdisc noqueue 0: dev br-lan root refcnt 2
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc noqueue 0: dev phy1-sta0 root refcnt 2
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0

I would like to understand, which one is my lan under the bridgevlan
the only cable connected to the router is this pc and the wan coming from the usb.

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr E8:9C:25:61:D2:AE
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::ea9c:25ff:fe61:d2ae/64 Scope:Link
          inet6 addr: fd6e:8b30:329f::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14668 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15156 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1928407 (1.8 MiB)  TX bytes:8335265 (7.9 MiB)

eth0      Link encap:Ethernet  HWaddr AA:96:C5:5C:53:B7
          inet6 addr: fe80::a896:c5ff:fe5c:53b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:14813 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15549 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2203557 (2.1 MiB)  TX bytes:8429613 (8.0 MiB)
          Interrupt:129

lan1      Link encap:Ethernet  HWaddr E8:9C:25:61:D2:AE
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14813 errors:0 dropped:11 overruns:0 frame:0
          TX packets:15172 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1936923 (1.8 MiB)  TX bytes:8338675 (7.9 MiB)

lan2      Link encap:Ethernet  HWaddr AA:96:C5:5C:53:B7
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan3      Link encap:Ethernet  HWaddr AA:96:C5:5C:53:B7
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:76 errors:0 dropped:0 overruns:0 frame:0
          TX packets:76 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10164 (9.9 KiB)  TX bytes:10164 (9.9 KiB)

phy1-sta0 Link encap:Ethernet  HWaddr EA:9C:25:71:D2:AF
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

usb0      Link encap:Ethernet  HWaddr B2:BE:56:3C:3E:D9
          inet addr:192.168.42.25  Bcast:192.168.42.255  Mask:255.255.255.0
          inet6 addr: fe80::b0be:56ff:fe3c:3ed9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11373 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9401 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5244067 (5.0 MiB)  TX bytes:1889171 (1.8 MiB)

Please follow my instructions:

You don't need a lan interface if you use ctinfo

#!/bin/sh

##############################
# General settings
##############################
# "atm" for old-school DSL, "DOCSIS" for cable modem, or "other" for anything else
LINKTYPE="ethernet"
WAN=usb0 # Change this to your WAN device name
LAN= # Change to your LAN device if you don't use veth/bridge, leave it alone if you use veth
DOWNRATE=9000 # Change this to about 80% of your download speed (in kbps)
UPRATE=4000 # Change this to your kbps upload speed
OH=44 # Number of bytes of Overhead on your line
PRESERVE_CONFIG_FILES="yes"  # Set to "yes" to preserve, "no" to ignore during sysupgrade

##############################
# Downstream shaping method
##############################
DOWNSHAPING_METHOD="ctinfo" # Options: "veth", "ctinfo", "lan"

## "ctinfo"  Uses connection tracking information to restore DSCP markings on incoming packets
## "veth" Utilizes a virtual Ethernet pair to control incoming traffic
## "lan" Applies traffic shaping directly on the LAN interface, (ideal) for environments with a single interface directed towards the LAN.

Good, what is the output of:

service SimpleHFSCgamerscript status

  maxpacket 1456 drop_overlimit 0 new_flow_count 5402 ecn_mark 0
  new_flows_len 0 old_flows_len 3
qdisc pfifo 10: dev ifb-usb0 parent 1:11 limit 67p
 Sent 10776 bytes 25 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
qdisc fq_codel 803b: dev ifb-usb0 parent 1:14 limit 10240p flows 1024 quantum 3000 target 4ms interval 102ms memory_limit 225000b ecn drop_batch 64
 Sent 109 bytes 1 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 109 drop_overlimit 0 new_flow_count 1 ecn_mark 0
  new_flows_len 1 old_flows_len 0
qdisc fq_codel 803a: dev ifb-usb0 parent 1:13 limit 10240p flows 1024 quantum 3000 target 4ms interval 102ms memory_limit 225000b ecn drop_batch 64
 Sent 8624 bytes 60 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 203 drop_overlimit 0 new_flow_count 57 ecn_mark 0
  new_flows_len 1 old_flows_len 0
qdisc fq_codel 803c: dev ifb-usb0 parent 1:15 limit 10240p flows 1024 quantum 3000 target 4ms interval 102ms memory_limit 225000b ecn drop_batch 64
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
  new_flows_len 0 old_flows_len 0

==== Nftables Ruleset: dscptag ====
        chain dscptag {
                type filter hook forward priority filter; policy accept;
                ip dscp set cs0 counter packets 80817 bytes 65552213
                ip6 dscp set cs0 counter packets 0 bytes 0
                ip protocol udp udp sport 51413 ip dscp set cs1 counter packets 0 bytes 0
                ip6 nexthdr udp udp sport 51413 ip6 dscp set cs1 counter packets 0 bytes 0
                ip protocol udp udp dport 51413 ip dscp set cs1 counter packets 0 bytes 0
                ip6 nexthdr udp udp dport 51413 ip6 dscp set cs1 counter packets 0 bytes 0
                ip protocol tcp tcp sport { 6881-6889, 51413 } ip dscp set cs1 counter packets 0 bytes 0
                ip6 nexthdr tcp tcp sport { 6881-6889, 51413 } ip6 dscp set cs1 counter packets 0 bytes 0
                ip protocol tcp tcp dport { 6881-6889, 51413 } ip dscp set cs1 counter packets 0 bytes 0
                ip6 nexthdr tcp tcp dport { 6881-6889, 51413 } ip6 dscp set cs1 counter packets 0 bytes 0
                ip protocol tcp tcp flags & ack == ack meta length < 100 add @xfst4ack { ip daddr . ip saddr . tcp dport . tcp sport limit rate over 20000/second } counter packets 0 bytes 0 jump drop995
                ip protocol tcp tcp flags & ack == ack meta length < 100 add @fast4ack { ip daddr . ip saddr . tcp dport . tcp sport limit rate over 2000/second } counter packets 0 bytes 0 jump drop95
                ip protocol tcp tcp flags & ack == ack meta length < 100 add @med4ack { ip daddr . ip saddr . tcp dport . tcp sport limit rate over 200/second } counter packets 1574 bytes 96487 jump drop50
                ip protocol tcp tcp flags & ack == ack meta length < 100 add @slow4ack { ip daddr . ip saddr . tcp dport . tcp sport limit rate over 200/second } counter packets 764 bytes 46900 jump drop50
                ip protocol udp udp dport { 53, 3478-3479, 5938, 8801-8802, 10000, 19302-19309 } ip dscp set cs4 counter packets 0 bytes 0
                ip6 nexthdr udp udp dport { 53, 3478-3479, 5938, 8801-8802, 10000, 19302-19309 } ip6 dscp set cs4 counter packets 0 bytes 0
                ip protocol udp ip daddr 192.168.1.2 ip dscp set cs5 counter packets 5002 bytes 4960085
                ip protocol udp ip saddr 192.168.1.2 ip dscp set cs5 counter packets 3237 bytes 739210
                ip6 nexthdr udp ip6 daddr fd90::129a ip6 dscp set cs5 counter packets 0 bytes 0
                ip6 nexthdr udp ip6 saddr fd90::129a ip6 dscp set cs5 counter packets 0 bytes 0
                ip protocol udp ip daddr 192.168.109.2 ip dscp set cs2 counter packets 0 bytes 0
                ip protocol udp ip saddr 192.168.109.2 ip dscp set cs2 counter packets 0 bytes 0
                ip6 nexthdr udp ip6 daddr fd90::129a ip6 dscp set cs2 counter packets 0 bytes 0
                ip6 nexthdr udp ip6 saddr fd90::129a ip6 dscp set cs2 counter packets 0 bytes 0
                ip protocol udp ip dscp > cs2 add @udp_meter4 { ip saddr . ip daddr . udp sport . udp dport limit rate over 450/second } counter packets 126 bytes 108679 ip dscp set cs2 counter packets 126 bytes 108679
                ip6 nexthdr udp ip6 dscp > cs2 add @udp_meter6 { ip6 saddr . ip6 daddr . udp sport . udp dport limit rate over 450/second } counter packets 0 bytes 0 ip6 dscp set cs2 counter packets 0 bytes 0
                ip protocol tcp ct bytes < 562500 ip dscp < cs4 ip dscp set cs2 counter packets 24245 bytes 17000110
                ip protocol tcp ct bytes > 11250000 ip dscp < cs4 ip dscp set cs1 counter packets 0 bytes 0
                ip protocol tcp add @slowtcp4 { ip saddr . ip daddr . tcp sport . tcp dport limit rate 150/second burst 150 packets } ip dscp set cs4 counter packets 70903 bytes 59124040
                ip6 nexthdr tcp add @slowtcp6 { ip6 saddr . ip6 daddr . tcp sport . tcp dport limit rate 150/second burst 150 packets } ip6 dscp set cs4 counter packets 0 bytes 0
                meta priority set ip dscp map @priomap counter packets 79620 bytes 65478758
                meta priority set ip6 dscp map @priomap counter packets 0 bytes 0
                meta nfproto ipv4 ct mark set @nh,8,8 & 0xfc [invalid type] | 0x80 counter packets 79620 bytes 65478758
                meta nfproto ipv6 ct mark set @nh,0,16 & 0xfc0 [invalid type] | 0x80 counter packets 0 bytes 0
                oifname "usb0" ip dscp set cs0
                oifname "usb0" ip6 dscp set cs0
        }