Qosify: new package for DSCP marking + cake

Hi,
I've made a new package for OpenWrt called qosify, which implements many features also found in this script. Instead of using iptables and ipset, it implements classification as a single configurable eBPF module. It supports port based rules and DNS hostname wildcard/regex matching for classification.
You can find some details about it in this readme: https://git.openwrt.org/?p=project/qosify.git;a=blob;f=README
The package is in OpenWrt master.

17 Likes

thanks for your work :wink:

for the moment i has configurate like this

config defaults
	list defaults /etc/qosify/*.conf
	option dscp_prio CS5
	option dscp_icmp CS6
	option dscp_bulk CS0
	option dscp_default_udp	CS4
	option bulk_trigger_timeout 5
	option bulk_trigger_pps	100
	option prio_max_avg_pkt_len 500

config interface wan
	option name wan
	option disabled 0
	option bandwidth_up 16mbit
	option bandwidth_down 56mbit
	# defaults:
	option ingress 1
	option egress 1
	option mode diffserv4
	option nat 1
	option host_isolate 1
	option autorate_ingress 1
	option ingress_options ""
	option egress_options ""
	option options ""

config device wandev
	option disabled 1
	option name wan
	option bandwidth 100mbit

maybe open the new thread for configurate qosify :slight_smile:

Working nicely so far, but took a little bit to read between the lines of the README.

I made some changes to the defaults. I changed dscp_bulk from CS0 to CS1, and I added dscp_default_tcp CS0 (since my ISP marks all my ingress traffic as CS1). I also added docsis to the options parameter to account for my desired overhead.

I added a 01-dns.conf file in /etc/qosify with all my former dnsmasq ipset configs. Is it required to put a wildcard on a domain if you want all sub-domains included (e.g. googlevideo.com or *.googlevideo.com)?

It's not obvious, but you can dump your config with ubus call qosify dump

Very cool so far! Thanks @nbd

/etc/qosify/01-dns.conf
# Bulk
dns:*.backblaze.com CS1
dns:*.backblazeb2.com CS1
dns:*.ms-acdc.office.com CS1
dns:*.windowsupdate.com CS1
dns:*.update.microsoft.com CS1
dns:*.onedrive.com CS1
dns:*.1drv.ms CS1
dns:*.1drv.com CS1
dns:*.sharepoint.com CS1

# Video
dns:*.googlevideo.com AF41
dns:*.nflxvideo.net AF41
dns:*.aiv-cdn.net AF41
dns:*.r.cloudfront.net AF41
dns:*.aiv-delivery.net AF41
dns:*.mediaplatform.com AF41
dns:*.uplynk.com AF41

# Voice
dns:*.zoom.us CS6
dns:*.skype.com CS6
/etc/qosify/00-defaults.conf
# DNS
tcp:53          CS5
udp:53          CS5

# NTP
udp:123         CS6

# SSH
tcp:22          +CS4

# HTTP/QUIC
#tcp:80         +CS3
#tcp:443                +CS3
udp:80          CS0
udp:443         CS0

# Facetime
udp:3478-3497 +CS6
udp:16384-16387 +CS6
udp:16393-16402 +CS6

# Zoom
udp:8801-8810 +CS6
1 Like

Cool ,
You have add option overhead how

Option overhead "docsis" ?

Put docsis inside the quotes.
option options "docsis"

1 Like

I have a many iptables for my connexion with src et dst ip src port and dest port how make add in qosify ?

The way I interpret the docs and code, it is based on one criterion only (ip or port, but not both together). So iptables rules are probably needed still for those more complex requirements.

I could be wrong, or maybe AND support can come later.

1 Like

I'm on vdsl2 i think add ethernet but usually i use 44 overhead where place overhead number

Then i ipdated the last snapshot and package qosify is missed now how recupair the package ? Thanks

https://downloads.openwrt.org/snapshots/faillogs/aarch64_cortex-a72/base/qosify/compile.txt

1 Like

Just use overhead 44 instead of docsis like I did.

1 Like

One difference between qosify’s dns: approach versus using dnsmasq with ipsets is that you need to know the underlying A record name for any CNAMEs you want to capture traffic for.

In dnsmasq, you could put skype.com into a voice ipset and not worry about the real A records. With qosify, since it only sees the final dns_result through ubus, you have to know that skype.com might actually be l-0007.dc-msedge.net, and that’s what you’d have to account for in the qosify map file.

Not a showstopper, but you might not be able to just reformat your dnsmasq ipset options into qosify dns: options.

1 Like

I just pushed a fix for the qosify build failure, next snapshot build should work again.
Regarding the CNAME issue: I think I need to update the dnsmasq ubus patch so that it generates events for both if the CNAME is different from the A record name.

2 Likes

Questions:

  1. Does qosify allow to define combinations of ip addresses and ports for its marking rules?

  2. Does that marking also work on ingress, that is will the re-marking happen before an qdisc on an IFB will see the packets?

  3. If yes to 2) above, can marking rules employ "internal" IP addresses, that is, does this look into conntrack and friends to get the mapping between addresses/ports in the pre-NAT and the post-NAT world?

I had a look at the description of qosify, but did not see these answered (but I might have overlooked it).
Thanks!

1 Like

@dave14305,
Regarding your changes to the bulk class, I'm planning on implementing support for dscp value aliases and for splitting tags between ingress and egress. The alias syntax in uci will look something like this:

config alias bulk
    option egress CS1
    option ingress LE
config alias video
    option value AF41
config alias voice
    option value CS6

and in /etc/qosify/*.conf you could then use bulk, video or voice instead of CS1 etc.
The main reason for this is the fact that the wireless qos_map_set will only put LE traffic into the bulk WMM class, and it would be a bit annoying if you have to change the wireless settings just for accomodating specific ISP DSCP preferences.

2 Likes

@moeller0,

  1. Not supported currently. Is it important?
  2. qosify is added as a classify rule under the cake qdisc on ifb. This means it gets to re-mark packets before cake takes a look at the dscp values.
  3. rules currently can't employ internal IP addresses. This is something that I may look into in the future.
1 Like

Not really important but nice to have. Ports, especially above 1024 are really not guaranteed to be application specific, so nothing guarantees that portS NNNNN-MMMMM packets arriving at ingress are truely those gamaing packets a user wanted to prioretize for her gaming machine, and not, to make up a bad example, from a swarm of torrent peers.

But that sort of requires either 3) above or some way to collect all gaming sender IPs via ipset analogon....

1 Like

excellent work

yes the idea is that for example for a specific ip we can assign a port or a specific port range like this

for example

iptables -t mangle -A POSTROUTING -p udp --dst 192.168.2.135 -j DSCP --sport 2053 --dport 50000: 65535 --set-dscp-class CS5

iptables -t mangle -A POSTROUTING -p udp --src 192.168.2.135 -j DSCP --sport 50000: 65535 --dport 2053 --set-dscp-class CS5

thanks

Hey @nbd

I’ve been trying to get qosify to work for the last 2 days.. without any success. It would be nice if you could provide a more detailed instruction on how to run it.

For example, I don’t actually know if I should run it with sqm enabled or if it replaces sqm and I should disable it and how to actually run it? It never made any difference for me in tagging packets or reducing bandwidth.

For testing I tried to tag 8.8.8.8 with CS7 and pinged it but no packets are tagged.

Here is my config:

# DNS
tcp:53		CS5
tcp:5353	CS5
udp:53		CS5
udp:5353	CS5

# NTP
udp:123		CS6

# SSH
tcp:22		+CS4

# HTTP/QUIC
tcp:80		+CS3
tcp:443		+CS3
udp:80		+CS3
udp:443		+CS3

#Gaming
udp:3074	+CS5

#Pingtest
8.8.8.8		+CS7

config defaults
	list defaults /etc/qosify/*.conf
	option dscp_prio CS5
	option dscp_icmp CS6
	option dscp_bulk CS0
	option dscp_default_udp	CS4
	option bulk_trigger_timeout 5
	option bulk_trigger_pps	100
	option prio_max_avg_pkt_len 500
	option interfaces eth1

config interface wan
	option name wan
	option disabled 0
	option bandwidth_up 24mbit
	option bandwidth_down 80mbit
	# defaults:
	option ingress 1
	option egress 1
	option mode diffserv4
	option nat 1
	option host_isolate 1
	option autorate_ingress 1
	option ingress_options ""
	option egress_options ""
	option options "22"

config device wandev
	option disabled 1
	option name wan
	option bandwidth 80mbit


+CS7 means to only mark it if it is marked with zero, but the default icmp is set to CS6. Take the + away and make it just CS7 and see if it works.

Also, your “22” in options is missing the overhead word in the quotes. option options "overhead 22"

1 Like

Damn, thank you! Seems like it's working now :slight_smile:

One thing i also noticed: when changing settings in the config you always have to restart the service for changes to apply.

1 Like