Are you using nftables combined with sqm to prioritize your gaming consoles? Are you working with DSCP tags to prioritize some specific ports or the whole device/console?
hello kherby and thanks for your answer,
i am using SQM indeed and i think i managed to convert my iptables to nftables, but i dont know if i am just doing for nftables if i should put them in firewall custom rules or not,
I followed the tutorial from diakelan but I lose the connection to the internet without a firewall, I am confused, here are my nftables for gaming and the ps4 which is in 192.168.2.167 I followed the tutorial from diakelan but I lose the connection to the internet without a firewall, I am confused, here are my nftables for gaming and the ps4 which is in 192.168.2.167
i have tried the @hisham2630 ultimate settings but a little complicated for my isp french orange
I can't help you with nftables as this stuff is way beyond my skill level but I would suggest that you also take a look at @ldir's approach where you would be able prioritize your gaming/console traffic via DSCP's for in+egress.
I think that his approach is quite clever + straighforward and you should be able to get solid results if you prioritize your gaming traffic via DSCP's.
See: SQM cake: traffic prioritisation
There is also a diffserv4 script, so you don't need to patch cake in order to give his approach a try: https://github.com/ldir-EDB0/sqm-scripts/commit/e701873cf6393d056360dbc4f174db602ca02f09
I'm not 100% sure what the requirements for this approach are but I think you only need kmod-sched-ctinfo + kmod-sched-connmark (on top of sqm) to get it working.
1 Like
You only need kmod-sched-ctinfo - it can do everything kmod-sched-connmark does as well.
nftables is a problem though since there's no way to store a dscp into the connmark ready for ctinfo to restore.
1 Like
Thanks for the info.
I still try figuring out how to adapt your script for my own needs and therefore I haven't tested it yet.
For the beginning I would like to keep it simple and see if in+egress dscp marks for my torrent and gaming ports could fix my latency issues when downloading torrents on my PC while playing some online games on my console. Do we need to work with ipsets or if it's optional to your approach?
@Dopam-IT_1987
Please let me know if your not interested in ldir's approach with the DSCP's and want to stick with nftables as I don't want to hijack your thread. But in case that your interested in ldir's approch we could perhaps start our tests together as you also seem to be interested in prioritizing your game traffic.
1 Like
The ipsets (dynamically filled by dnsmasq) were a convenient way to classify hosts into video, voice, bulk etc. You don't need to use the ipset mechanism at all - it was a way to simplify the rules. Here's a pretty much neutered version of the script (most stuff just commented out) that will build the iptables framework without actually doing much dscp mangling/classification. It still retains the 'long best effort de-prioritised to bulk' dynamic bit. It should allow you to see the 'framework' that's put in place and then come up with your own rules to identify and mark specific host traffic.
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2 as published by the
# Free Software Foundation.
#
# Copyright (C) 2012-5 Michael D. Taht, Toke Høiland-Jørgensen, Sebastian
# Moeller Additional hackery & standing on shoulders of giants (C) 2019 Kevin
# Darbyshire-Bryant
#
# This script is offered on the basis that it works for me and might be useful
# to others, but if it breaks you may keep all the pieces at no cost :-)
#
# diffserv5 takes advantage of a patched CAKE diffserv5 mode offering 5 tins of
# classification Least Effort, Bulk, Best Effort, Video, Voice.
# The difference between diffserv4 & diffserv5 is that diffserv5 has a tin for
# Least Effort, whilst diffserv4 maps Least Effort into Bulk. Thus diffserv4
# treats my bittorrent as equal priority to my backups. Bittorrent can wait,
# my backups must complete
#
# By default CAKE uses DSCP values as a key into the priority tins.
# Applications that set a DSCP (eg dropbear ssh) should have that
# respected/used. CAKE offers other tin keying methods eg. fwmark. This (by
# design) ignores any DSCP values, so if you wanted DSCP to have influence whilst
# using that you
# would have to write many x_tables rules to translate DSCP to tin (ie
# emulating the lookup cake already has) For this reason I use DSCP as the tin
# priority key mechanism.
#
# DSCP values on egress are easy to find & manipulate. Ingress is harder
# because CAKE has already handled the packet before x_tables gets a chance to
# see it. An initial idea & solution for this 'ingress classification' problem
# is to use a tc action called 'connmark'. This restores the firewall
# connection mark into the packet and CAKE can be told to look at this restored
# mark for tin selection. Events turned out that the initial plans I had for
# 'fwmark' got neutered and whilst fwmark exists and works, I've chosen not to
# use it for this solution. (The initial plan was to get CAKE to store the
# chosen tin selected by DSCP into the fwmark itself, but qdiscs updating conntrack is regarded
# as a layering violation so is a no no, it worked well but upstream didn't
# like it)
#
# What I really wanted to do was store the DSCP value for a connection into the
# firewall and use that stored DSCP as the key. Storing DSCP on egress and
# restoring on ingress was potentially more useful to other qdiscs not just
# CAKE as well.
#
# act_ctinfo was written and is in kernel 5.3, This restores a firewall stored
# DSCP value into a packet's DSCP field. The companion 'store' function has
# not yet made it upstream, being somewhat stalled by my bad C and requirement
# for an nftables implementation and I quite frankly have no idea how to write
# for nftables. A 'hacked' together implementation for iptables does exist and
# that's what is used here.
#
# This script implements a 'dual level' of classification setting. The 'hard'
# or fixed layer applies fixed DSCP settings to known host/port combinations.
# Traffic that isn't in this known set of rules, has a default Best Effort
# classification and exceeds CONNB bytes transferred is then hooked by a second
# rules set where it is demoted to BULK.
#
# How it works
#
# We usurp top byte of the firewall connmark for our own purposes.
# bits 3-8 = DSCP
# bit 2 = DSCPS flag - DSCP is stored in bits 3-8 but may be changed (0x02)
# bit 1 = DSCPF flag - DSCP is long-term fixed (0x01)
#
# egress packets are hooked by an iptables rule if DSCPS & DSCPF unset and are
# passed to a 'hard' hosts/port ruleset chain. This chain sets any applicable
# DSCP in the packet and then uses connmark savedscp to store that set DSCP
# value along with a set DSCPS bit in the firewall connmark. another rule
# hooks packets that have DSCPS set, DSCPF unset and a conntrack connbytes
# value bigger than CONNB. These are sent to the dynamic ruleset chain. The
# dynamic ruleset chain changes connections that are currently Best Effort to
# BULK and sets DSCPF
#
# ctinfo instances are set on both ingress and egress paths. The ingress path
# is hopefully obvious but ctinfo on egress may not be quite so obvious to
# understand. It is there to copy the previously set DSCP value to all
# corresponding egress packets and thus eliminate the requirement for each
# packet to pass through the 'hard' ruleset.
#
# More rubbish/info. jump -j vs goto -g in iptables rules
# jump is a bit like a subroutine, in other words unless the 'jumped' to
# table drops or accepts a packet, the return from that sub-chain comes
# back to the calling chain just after the point where we jumped(called)
# the sub-chain.
# goto goes to the called chain, and when it returns it returns to the chain
# that called us.
# I make use of both
#
# Probably a slightly more computer science description:
# A 'jump' pushes a return chain address on to a stack, hence when the called chain
# finishes it knows where to return to.
# A 'goto' doesn't push a return chain address so when the called chain returns it
# returns to the chain that called us, not our current chain.
. /lib/functions/network.sh
. ${SQM_LIB_DIR}/defaults.sh
QDISC=cake
DURUP=30
DURDN=30
# below is simplified Rate * 1000 * duration / 8 ie 1000/8 = 125
CONNBDN=$(( ${DOWNLINK} * 125 * ${DURDN} ))
CONNBUP=$(( ${UPLINK} * 125 * ${DURUP} ))
INGRESS_CAKE_OPTS="diffserv4"
EGRESS_CAKE_OPTS="diffserv4"
network_get_subnet SUBNET lan
network_find_wan6 ifc_wan6 && network_get_prefix6 PREFIX "${ifc_wan6}"
# Default traffic classication is passed in INGRESS_CAKE_OPTS and EGRESS_CAKE_OPTS, defined in defaults.sh now
egress() {
SILENT=1 $TC qdisc del dev $IFACE root
$TC qdisc add dev $IFACE root cake bandwidth ${UPLINK}kbit \
$( get_cake_lla_string ) ${EGRESS_CAKE_OPTS} ${EQDISC_OPTS}
# Put an action on the egress interface to set DSCP from the stored connmark.
# This seems counter intuitive but it ensures once the mark is set that all
# subsequent egress packets have the same stored DSCP avoiding the need to have
# iptables rules mark every packet.
$TC filter add dev $IFACE protocol all u32 \
match u32 0 0 \
action ctinfo dscp 0xfc000000 0x02000000
}
ingress() {
SILENT=1 $TC qdisc del dev $IFACE handle ffff: ingress
$TC qdisc add dev $IFACE handle ffff: ingress
SILENT=1 $TC qdisc del dev $DEV root
[ "$ZERO_DSCP_INGRESS" -eq "1" ] && INGRESS_CAKE_OPTS="$INGRESS_CAKE_OPTS wash"
$TC qdisc add dev $DEV root cake bandwidth ${DOWNLINK}kbit \
$( get_cake_lla_string ) ${INGRESS_CAKE_OPTS} ${IQDISC_OPTS}
$IP link set dev $DEV up
# redirect all IP packets arriving in $IFACE to ifb0
# set DSCP from conntrack mark
$TC filter add dev $IFACE parent ffff: protocol all u32 \
match u32 0 0 \
action ctinfo dscp 0xfc000000 0x02000000 \
action mirred egress redirect dev $DEV
}
ipt_setup() {
# Configure iptables chains to mark packets
# ipt_destruct
ipt -t mangle -N QOS_CAKE_${IFACE}
ipt -t mangle -N QOS_MARK_F_${IFACE}
ipt -t mangle -N QOS_MARK_F_REMAP_${IFACE}
ipt -t mangle -N QOS_MARK_D_${IFACE}
ipt -t mangle -N QOS_MARK_D_orig_${IFACE}
ipt -t mangle -N QOS_MARK_D_repl_${IFACE}
# 'non-dynamic, fixed' rules
#
# Change DSCP of relevant hosts/ports and save the DSCP to the connmark using savedscp
#
# eg. I have a skybox which only does downloads & never streams, make it bulk
# I have a bluray player that speaks netflix/amazon, so it streams and never downloads, make it video
# I have a bittorrent host, so make that host/port combination bulk.
# I have some dynamically updated ipsets filled by dnsmasq for Bulk, video & voice, so classify if they match
# In fact since we already have the ipset based rules, just add local hosts to the relevant set.
# Qnap have just done something interesting in that they've set DSCP LE on their Hybrid Backup Sync
# application. Presently I jealously guard LE for bittorrent (something I regard as lowest priority in
# the world) thus Qnap's decision to make my backups LE as opposed to my preferred BK (bulk) meant I
# needed to create a 'packet has a DSCP but I'd like to re-map it to something else' chain.
# example here if you needed to do port 'ip'sets
#ipset -exist create AppleFT bitmap:port range 3478-16402
#plist="3478-3497 16384-16387 16393-16402"
#for p in $plist ; do
# ipset -exist add AppleFT $p
#done
#ipv4
# Skybox
#ipset -q add Bulk4 SkyQ
# Bluray
#ipset -q add Vid4 bluray
# AV-Amp
#ipset -q add Vid4 av-amp
#QOS_MARK_F_REMAP_${IFACE}
# if it's DSCP LE and from my backup box then re-map to BK.
#ipt -t mangle -A QOS_MARK_F_REMAP_${IFACE} -m dscp --dscp 0x01 -p tcp -s waldorf -j DSCP --set-dscp-class CS1
# save it
ipt -t mangle -A QOS_MARK_F_REMAP_${IFACE} -j CONNMARK --set-dscpmark 0xfc000000/0x03000000
# and out - that was easy!
# QOS_MARK_F_${IFACE} starts here.
# if dscp!= 0 then goto QOS_MARK_F_REMAP_${IFACE} ie. special case packets that already have a DSCP
ipt -t mangle -A QOS_MARK_F_${IFACE} -m dscp ! --dscp 0x00 -g QOS_MARK_F_REMAP_${IFACE}
# else fall through
# ipv4 rules
# Bittorrent box - has to be done explicitly because we're looking at specific ports not just whole host
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p tcp -s waldorf -m tcp -m multiport --sports 6981,4433 -m comment --comment "BT DSCP LE" -j DSCP --set-dscp 1
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p udp -s waldorf -m udp --sport 6981 -m comment --comment "BT DSCP LE" -j DSCP --set-dscp 1
# the destination versions don't appear to be required, so commented out.
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p tcp -d waldorf -m tcp -m multiport --dports 6981,4433 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p udp -d waldorf -m udp --dport 6981 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
# If you want a connection to remain as CS0 Best Effort, you force the DSCP Fixed bit, the 'set' bit will be set later
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Bulk4 dst -j DSCP --set-dscp-class CS1 -m comment --comment "Bulk CS1 ipset"
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Bulk4 src -j DSCP --set-dscp-class CS1 -m comment --comment "Bulk CS1 ipset"
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set BE4 dst -j CONNMARK --set-xmark 0x01000000/0x01000000 -m comment --comment "Best Effort CS0 ipset"
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set BE4 src -j CONNMARK --set-xmark 0x01000000/0x01000000 -m comment --comment "Best Effort CS0 ipset"
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Vid4 dst -j DSCP --set-dscp-class CS3 -m comment --comment "Vid CS3 ipset"
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Vid4 src -j DSCP --set-dscp-class CS3 -m comment --comment "Vid CS3 ipset"
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Voice4 dst -j DSCP --set-dscp-class CS4 -m comment --comment "Voice CS4 ipset"
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Voice4 src -j DSCP --set-dscp-class CS4 -m comment --comment "Voice CS4 ipset"
# ipv6
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -p tcp -s waldorf -m tcp -m multiport --sports 6981,4433,4434 -m comment --comment "BT DSCP LE" -j DSCP --set-dscp 1
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -p udp -s waldorf -m udp --sport 6981 -m comment --comment "BT DSCP LE" -j DSCP --set-dscp 1
# the destination versions don't appear to be required, so commented out.
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -p tcp -d waldorf -m tcp -m multiport --dports 6981,4433,4434 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -p udp -d waldorf -m udp --dport 6981 -m comment --comment "BT DSCP CS1 Bulk" -j DSCP --set-dscp-class CS1
# If you want a connection to remain as CS0 Best Effort, you force the DSCP Fixed bit, the 'set' bit will be set later
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Bulk6 dst -j DSCP --set-dscp-class CS1 -m comment --comment "Bulk CS1 ipset"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Bulk6 src -j DSCP --set-dscp-class CS1 -m comment --comment "Bulk CS1 ipset"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set BE6 dst -j CONNMARK --set-xmark 0x01000000/0x01000000 -m comment --comment "Best Effort CS0 ipset"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set BE6 src -j CONNMARK --set-xmark 0x01000000/0x01000000 -m comment --comment "Best Effort CS0 ipset"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Vid6 dst -j DSCP --set-dscp-class CS3 -m comment --comment "Vid CS3 ipset"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Vid6 src -j DSCP --set-dscp-class CS3 -m comment --comment "Vid CS3 ipset"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Voice6 dst -j DSCP --set-dscp-class CS4 -m comment --comment "Voice CS4 ipset"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -m set --match-set Voice6 src -j DSCP --set-dscp-class CS4 -m comment --comment "Voice CS4 ipset"
# put host or application specific classification rules here
# Best Effort requires connmark target -j CONNMARK --set-xmark 0x01000000/0x01000000
# anything else uses the dscp target -j DSCP --set-dscp-class CS[1-7]
#unificontroller
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p tcp -s unificontroller -m tcp -m multiport --dports 8883 -m comment --comment "UnifiController CS0 BE" -j CONNMARK --set-xmark 0x01000000/0x01000000
#Apple
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p tcp -d 17.0.0.0/8 -m tcp -m multiport --dports 5223,993 -m comment --comment "APNS,mail CS0 BE" -j CONNMARK --set-xmark 0x01000000/0x01000000
#Facetime is interesting. Apple say that for firewall purposes only certain ports are used, they don't say if that's source
#or destination. Turns out it's both, so look for connections with both a source & destination port in the Facetime range
#ipt -t mangle -A QOS_MARK_F_${IFACE} -p udp -m udp -m multiport --sports 3478:3497,16384:16387,16393:16402 -m multiport --dports 3478:3497,16384:16387,16393:16402,16609:16618 -m comment --comment "Facetime CS3 Vid" -j DSCP --set-dscp-class CS3
#Zoom - connections go to Zoom with dest ports 8801-8810
#$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p udp -m udp -m set --match-set Zoom4 dst -m multiport --dports 8801:8810 -j DSCP --set-dscp-class CS3 -m comment --comment "Zoom CS3 VI"
#$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -p udp -m udp -m set --match-set Zoom6 dst -m multiport --dports 8801:8810 -j DSCP --set-dscp-class CS3 -m comment --comment "Zoom CS3 VI"
#Whatsapp Video
#ipt -t mangle -A QOS_MARK_F_${IFACE} -p udp -m udp -m multiport --dports 3478 -m comment --comment "Whatsapp CS3 VI" -j DSCP --set-dscp-class CS3
#Irc
#ipt -t mangle -A QOS_MARK_F_${IFACE} -p tcp -m tcp -m multiport --dports 6697 -m comment --comment "IRC CS0 BE" -j CONNMARK --set-xmark 0x01000000/0x01000000
#Icmp/v6
$IPTABLES -t mangle -A QOS_MARK_F_${IFACE} -p icmp -m comment --comment "Ping CS0 BE" -j CONNMARK --set-xmark 0x01000000/0x01000000
$IP6TABLES -t mangle -A QOS_MARK_F_${IFACE} -p icmpv6 -m comment --comment "Ping CS0 BE" -j CONNMARK --set-xmark 0x01000000/0x01000000
#Wireguard
#ipt -t mangle -A QOS_MARK_F_${IFACE} -p udp -m udp -m multiport --sports 51820 -m comment --comment "WG CS0 BE" -j CONNMARK --set-xmark 0x01000000/0x01000000
# store the decided DSCP into connmark for later restoration by ctinfo
ipt -t mangle -A QOS_MARK_F_${IFACE} -j CONNMARK --set-dscpmark 0xfc000000/0x02000000
# if we stored a non best effort DSCP then lock it in place, there's no traffic based deprioritisation required
ipt -t mangle -A QOS_MARK_F_${IFACE} -m connmark ! --mark 0x0/0xfc000000 -j CONNMARK --set-xmark 0x01000000/0x01000000
# ---- End of 'hard/fixed' rules
# Dynamic rules - These get run when a connection first goes above our bulk transfer size limit.
# if stored DSCP is CS0 (Best effort) then set it to CS1 (bulk) - this is the dynamic de-prioritisation.
# CS1 = 8 << 2 = 0x20, setting our Fixed bit = 0x21
# and by now whatever we have we stick with, so set DSCPFixed bit
ipt -t mangle -A QOS_MARK_D_${IFACE} -j CONNMARK --set-xmark 0x21000000/0x21000000
# ---- End of Dynamic Rules
# It all starts here.
# CAKE chain to combine hard/dynamic rules
# Send unmarked connections to the hard/fixed marking chain
ipt -t mangle -A QOS_CAKE_${IFACE} -m connmark --mark 0x00000000/0x02000000 -g QOS_MARK_F_${IFACE}
# Send marked connections over CONNB bytes and not DSCPFixed to the dynamic rules
# original direction first - the original src ip is local
# ipv4
if [ "$SUBNET" ] ; then
$IPTABLES -t mangle -A QOS_CAKE_${IFACE} -m conntrack --ctorigsrc ${SUBNET} -g QOS_MARK_D_orig_${IFACE}
$IPTABLES -t mangle -A QOS_CAKE_${IFACE} -m conntrack --ctreplsrc ${SUBNET} -g QOS_MARK_D_repl_${IFACE}
# orig direction
$IPTABLES -t mangle -A QOS_MARK_D_orig_${IFACE} \
-m connbytes --connbytes ${CONNBUP} --connbytes-dir original --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
$IPTABLES -t mangle -A QOS_MARK_D_orig_${IFACE} \
-m connbytes --connbytes ${CONNBDN} --connbytes-dir reply --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
# reply direction - reply src IP is local
$IPTABLES -t mangle -A QOS_MARK_D_repl_${IFACE} \
-m connbytes --connbytes ${CONNBDN} --connbytes-dir original --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
$IPTABLES -t mangle -A QOS_MARK_D_repl_${IFACE} \
-m connbytes --connbytes ${CONNBUP} --connbytes-dir reply --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
fi
# and now for ipv6.
if [ "$PREFIX" ] ; then
$IP6TABLES -t mangle -A QOS_CAKE_${IFACE} -m conntrack --ctorigsrc ${PREFIX} -g QOS_MARK_D_orig_${IFACE}
$IP6TABLES -t mangle -A QOS_CAKE_${IFACE} -m conntrack --ctreplsrc ${PREFIX} -g QOS_MARK_D_repl_${IFACE}
# orig direction
$IP6TABLES -t mangle -A QOS_MARK_D_orig_${IFACE} \
-m connbytes --connbytes ${CONNBUP} --connbytes-dir original --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
$IP6TABLES -t mangle -A QOS_MARK_D_orig_${IFACE} \
-m connbytes --connbytes ${CONNBDN} --connbytes-dir reply --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
# reply direction
$IP6TABLES -t mangle -A QOS_MARK_D_repl_${IFACE} \
-m connbytes --connbytes ${CONNBDN} --connbytes-dir original --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
$IP6TABLES -t mangle -A QOS_MARK_D_repl_${IFACE} \
-m connbytes --connbytes ${CONNBUP} --connbytes-dir reply --connbytes-mode bytes \
-g QOS_MARK_D_${IFACE}
fi
# ---- End of the hook
# Hook the above rules into the firewall path
ipt -t mangle -A POSTROUTING -o ${IFACE} -m connmark --mark 0x00000000/0x01000000 -j QOS_CAKE_${IFACE}
}
ipt_destruct() {
ipt -t mangle -D POSTROUTING -o ${IFACE} -m connmark --mark 0x00000000/0x01000000 -j QOS_CAKE_${IFACE}
ipt -t mangle -F QOS_MARK_F_${IFACE}
ipt -t mangle -F QOS_MARK_F_REMAP_${IFACE}
ipt -t mangle -F QOS_MARK_D_orig_${IFACE}
ipt -t mangle -F QOS_MARK_D_repl_${IFACE}
ipt -t mangle -F QOS_MARK_D_${IFACE}
ipt -t mangle -F QOS_CAKE_${IFACE}
ipt -t mangle -X QOS_MARK_F_${IFACE}
ipt -t mangle -X QOS_MARK_F_REMAP_${IFACE}
ipt -t mangle -X QOS_MARK_D_orig_${IFACE}
ipt -t mangle -X QOS_MARK_D_repl_${IFACE}
ipt -t mangle -X QOS_MARK_D_${IFACE}
ipt -t mangle -X QOS_CAKE_${IFACE}
}
sqm_prepare_script() {
do_modules
verify_qdisc $QDISC "cake" || return 1
ipt_setup
}
3 Likes
@Kherby no worries kherby no you don't divert the thread;) yes i'm interested in the idir script, thanks in advance
i will drop nftables
1 Like
can you help me to configurate please ? thanks
I see that ctinfo is backported, does this mean that it's "fully" workable?
1 Like
Can you point me at where?
kmod-sched-ctinfo - 4.14.180-1
you can't run nftables and iptables together. So if you want to run nftables you must convert your whole firewall to nftables.
we had some difficulty with that when we tried it last, but maybe with updated versions of OpenWrt it has gotten better?
Take a look at the first few posts of the old thread: QoS and nftables … some findings to share it should get you farther. You need to enable NAT for nftables etc. I should show how that works in the first few posts of that previous thread.
on ingress this won't work because conntrack hasn't run yet, but on egress it should be no problem. Using egress on the LAN for a wired router instead of the IFB on ingress, it becomes easy to do whatever you like.
AFAIK there isn't an equivalent (yet) of ipt -t mangle -j CONNMARK --set-dscpmark 0xfc000000/0x02000000. ie. connmark = (dscp <<26) | 0x020000000
I think you just set up a map with 64 entries, and do something like
ct mark set ip dscp map @dscpmap
and to restore you do a similar thing in the opposite direction
ip dscp set ct mark map @cttodscp
but I could be wrong
The savedscp feature is awesome on it's own. It would be great if this was ported to work.
I found something interesting in the nftables 0.9.4 release notes
logical shifts are now supported eg:
... meta mark set meta mark lshift 1 or 0x1 ...
This example shows how to shift one bit left the existing packet
mark and set the less significant bit to 1.
So, if 'ct mark set ip dscp' works and 'ct mark set ct mark lshift 26 or 0x200...' works the equivalent functionality can be coded.
I'm not in a position to do anything 'nftables', I don't know if that's something you could investigate?
2 Likes
I know I do not have the knowledge to investigate. Not in a thousand years.
1 Like
i would like use your script can you help me to configurate please
i have soon a mikrotik hap ac2 with openwrt too 
If I'm not mistaken, the Idir script above needs to be past in the "usr/lib/sqm"