I've removed the maps, added timeouts to the sets, and updated the ct mark statements. If you use ctinfo_layercake.qos, comment out the line near the bottom of the script that says ipt_setup
sqm_prepare_script() {
do_modules
verify_qdisc $QDISC "cake" || return 1
# ipt_setup
}
Below is the updated cttags table from my own file.
/etc/nftables.conf excerpt
table inet cttags {
set bulk4 {
type ipv4_addr
timeout 1d
counter
comment "Bulk IPv4"
}
set bulk6 {
type ipv6_addr
timeout 1d
counter
comment "Bulk IPv6"
}
set besteffort4 {
type ipv4_addr
timeout 1d
counter
comment "BE IPv4"
}
set besteffort6 {
type ipv6_addr
timeout 1d
counter
comment "BE IPv6"
}
set video4 {
type ipv4_addr
timeout 1d
counter
comment "Video IPv4"
}
set video6 {
type ipv6_addr
timeout 1d
counter
comment "Video IPv6"
}
set voice4 {
type ipv4_addr
timeout 1d
counter
comment "Voice IPv4"
}
set voice6 {
type ipv6_addr
timeout 1d
counter
comment "Voice IPv6"
}
define facetime_ports = { 3478-3497, 16384-16387, 16393-16402 }
define zoom_ports = { 8801-8810 }
chain in_dscp {
type filter hook postrouting priority 0; policy accept;
oifname $wan ct mark and 0x1c00000 == 0 jump qos_sqm
}
chain qos_sqm {
ct mark and 0x2000000 == 0 counter goto cttags
}
chain qos_sqm_remap {
# Add rules to modify non-zero DSCP incoming from LAN
# Convert the current DSCP value to an equivalent conntrack mark using the map
# Then save it in the high bits of the mark for restoration with act_ctinfo
meta nfproto ipv4 ct mark set (@nh,8,8 & 252) >> 2 counter
meta nfproto ipv6 ct mark set ((@nh,0,16 & 4032) >> 6) counter
ct mark set ct mark lshift 26 or 0x3000000
}
chain cttags {
# meta nftrace set 1
ip dscp != 0 counter goto qos_sqm_remap
ip6 dscp != 0 counter goto qos_sqm_remap
# match sets (populated externally by dnsmasq, et al)
ip daddr @bulk4 ip dscp set cs1 comment "bulk4 to CS1"
ip6 daddr @bulk6 ip6 dscp set cs1 comment "bulk6 to CS1"
#ip daddr @besteffort4 ct mark set 0x1000000 comment "besteffort4 to CS0"
#ip6 daddr @besteffort6 ct mark set 0x1000000 comment "besteffort6 to CS0"
ip daddr @video4 ip dscp set af41 comment "video4 to AF41"
ip6 daddr @video6 ip6 dscp set af41 comment "video6 to AF41"
ip daddr @voice4 ip dscp set cs6 comment "voice4 to CS6"
ip6 daddr @voice6 ip6 dscp set cs6 comment "voice6 to CS6"
# individual IP or port rules
ip daddr 17.0.0.0/8 tcp dport { 993, 5223 } ip dscp set cs0 counter comment "Apple Mail and APNS CS0"
udp sport $facetime_ports udp dport $facetime_ports ip dscp set af41 counter comment "Facetime AF41"
udp sport $facetime_ports udp dport $facetime_ports ip6 dscp set af41 counter comment "Facetime AF41"
udp dport $zoom_ports ip dscp set cs3 counter comment "Zoom CS3"
udp dport $zoom_ports ip6 dscp set cs3 counter comment "Zoom CS3"
udp sport 4500 udp dport 4500 ip dscp set cs6 counter comment "WiFi Calling CS6"
udp sport 4500 udp dport 4500 ip6 dscp set cs6 counter comment "WiFi Calling CS6"
tcp dport { 6020-6030 } ip dscp set cs1 counter comment "Comcast Speedtest CS1"
tcp dport { 6020-6030 } ip6 dscp set cs1 counter comment "Comcast Speedtest CS1"
# Convert the current DSCP value to an equivalent conntrack mark using the map
# Then save it in the high bits of the mark for restoration with act_ctinfo
meta nfproto ipv4 ct mark set (@nh,8,8 & 252) >> 2 counter
meta nfproto ipv6 ct mark set ((@nh,0,16 & 4032) >> 6) counter
ct mark set ct mark lshift 26 or 0x2000000
}
}
I think the next step is to update the sqm script to run all the individual nft commands to create this cttags table, so that it is tied to the sqm script and not the default nftables ruleset.