QoS: How iptables CLASSIFY / nftables "meta priority set" really works

Ok, for those of you who are into classifying packets for QoS purposes... here's what I've found out by trial and error over the last few days.

I run an nftables firewall and I use "meta priority set x:y" to try to steer packets to qdisc x class y... but it doesn't seem to work. Nor does it seem to work in iptables with the CLASSIFY command.

What does seem to happen is it sets the minor number, but it can't steer the packet to a leaf qdisc... so for example if you have a high level qdisc such as HFSC doing your shaping, let's call it 1: and then you want to schedule packets for one of its classes say class 1:10 has a qfq qdisc underneath it called say 2: with classes 2:1 and 2:2 and 2:3... if you try to -j CLASSIFY to 2:3 it won't go...

It appears that the queuing system only hands the packet to the high level 1: qdisc which tries to slam the packet into 1:3 because you set the minor number to 3, but since 1:3 doesn't exist, it either drops the packet, or for a qdisc with a default such as HFSC it uses the default.

So if you want to send a packet direct to a lower qdisc, you will have to play with tc filters. A useful filter seems to be something like this:

tc filter add dev eth0 parent 1: protocol all basic match "meta(priority eq 3)" flowid 2:3

So it looks like the packet will hit the top 1: qdisc, and hit this filter, and looking only at the minor part, it will get sent to the right sub-qdisc... just don't re-use minor numbers so there's no confusion, and you'll be fine.

people who might find this interesting @moeller0 and @knomax


thanks for information dlakelan