it's just this here:
table netdev cake {
chain capture-ul {
type filter hook ingress devices = { br-lan, br-guest } priority -149; policy accept;
ip daddr != { 192.168.1.0/24, 192.168.2.0/24 } jump process-ul
}
chain process-ul {
ip dscp set cs3
ip protocol icmp ip dscp set cs5 counter
ether type ip fwd to "ifb-ul"
}
chain capture-dl {
type filter hook ingress devices = { wan, vpn } priority -149; policy accept;
ip saddr != { $wg_endpoint } jump process-dl
}
chain process-dl {
ip dscp set cs3
ip protocol icmp ip dscp set cs5 counter
ip fwd to "ifb-dl"
}
}
This allows setting DSCPs and forwarding to IFBs for upload and download despite multiple interfaces (e.g. WAN/VPN/br-lan/br-guest).
For me was a good introduction to learn about nftables.
I'm curious to see now if I can leverage the connection tracking ingress restoration as per the discussion earlier on in this thread. Namely I'd quite like Windows 11 to set DSCP marks in applications for outbound traffic and then for those DSCP marks to get applied on my ingress, but I'm not sure if that's possible at the point of the ingress hook. I'd also like to see a working example of that restoration.