SQM and nftables?

What's the situation with sqm and nftables? Has it got rid of the iptables dependencies completely yet?

IIRC if you install iptables-nft before installing sqm-scripts it will not drag in the real iptables stuff, but some qos scripts like simple.qos require iptables syntax.

fq_codel is still dependent on old firewall packages
in current 23.05 release candidates, while cake and piece of cake is pure nft capable with no old dependencies.

1 Like

As I said, simple.qos expects an iptables binary of some sort... but iptables-nft will do just fine, so what is the big concern here?

Sidenote, I am not really impressed with the coverage of iptables-nft, it is not a full replacement for legacy iptables; then again, it is probably good enough for many use-cases, sqm-scripts among them...

The concern is bloat mainly. Don't wanna commit 1mb to useless iptables packages for a dependency I don't need.

Sounds like it's still not fully sorted judging by the replies here. Ah well, skip sqm for new installation a bit longer I guess.

1 Like

If you want to use simple.qos you need a compatible iptables binary...

By all means, either don't use sqm scripts or simply install it manually from the github repository (and stick to the two cake scripts) if the size of iptables-nft is prohibitive for your router.

Not speaking for sqm-scripts here but just myself: while it is great that OpenWrt switched to nftables, not all distributions made that switch (yet), so keeping sqm-scripts working with iptables is IMHO a wortwhile exercise.

SQM was and still is fully supported.

If you like to adapt fq_codel to nft please do it.

I don’t have a concern. I switched from fq_codel to cake to get native nft compatibility. For use cases that need fq_codel there is need to stick to iptables for now.

1 Like

Fq_codel, being a qdisc like cake, really does not care about iptables/nftables at all, it is just that simple.qos expects a working iptables binary independent on whether you selected fq_codel or cake as qdisc. But e.g. simplest.qos with fq_codel does not call tptables at all.

As I said it is possible to manually install sqm-scripts to sede step the issue as long as one avoids simple.qos....

1 Like

Thanks for the explanation. For efficiency or good enough fair queueing I prefer fq_codel.

For me the iptables dependency is not a big issue because I have enough SoC performance to be able to instead use cake. Quick workaround, this compromise is better for me than to completely drop SQM just because it’s work in progress.

Of course I don't mind that sqm supports iptables. After all, they're probably still the majority of installations out there.

I just wish it was split into 2 packages depending on what tables your router is using if iptables is not actually essential for the scripts to function as people here are saying.

Just execute these commands:

opkg update
opkg install iptables-nft ip6tables-nft luci-app-sqm

With cake you won’t get nft warnings at the luci firewall page.

Interesting that today I was working on a simple variation of sqm-scripts that uses act_ctinfo and nftables. It just creates a simple environment to save DSCP marks using act_ctinfo and restores them on egress and ingress. Assigning DSCPs is left to the user to perform locally on individual clients or using regular firewall4 rules and custom includes.

Both DSCPClassify and cake-qos-simple are more ambitious than this script, but less can be more.

From 2d4c2e688759fa52cafee10c65dc4beeedaa9f55 Mon Sep 17 00:00:00 2001
From: dave14305 <44532942+dave14305@users.noreply.github.com>
Date: Mon, 10 Jul 2023 20:14:46 -0400
Subject: [PATCH] Introduce ctinfo_cake.qos script

 src/ctinfo_cake.qos      | 68 ++++++++++++++++++++++++++++++++++++++++
 src/ctinfo_cake.qos.help |  7 +++++
 src/defaults.sh          |  2 ++
 src/functions.sh         | 16 ++++++++++
 4 files changed, 93 insertions(+)
 create mode 100644 src/ctinfo_cake.qos
 create mode 100644 src/ctinfo_cake.qos.help

diff --git a/src/ctinfo_cake.qos b/src/ctinfo_cake.qos
new file mode 100644
index 0000000..02b0c0a
--- /dev/null
+++ b/src/ctinfo_cake.qos
@@ -0,0 +1,68 @@
+# Cero3 Shaper
+# A cake shaper and AQM solution that allows several diffserv marking schemes
+# for ethernet gateways
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#       Copyright (C) 2012-5 Michael D. Taht, Toke Høiland-Jørgensen, Sebastian Moeller
+#sm: TODO pass in the cake diffserv keyword
+. ${SQM_LIB_DIR}/defaults.sh
+# Default traffic classication is passed in INGRESS_CAKE_OPTS and EGRESS_CAKE_OPTS, defined in defaults.sh now
+nft_setup() {
+    nft -f - <<EOF
+add table inet sqm_ctinfo_cake
+delete table inet sqm_ctinfo_cake
+add table inet sqm_ctinfo_cake
+add chain inet sqm_ctinfo_cake sqm_ctinfo_postrouting { type filter hook postrouting priority mangle + 1; policy accept; }
+add chain inet sqm_ctinfo_cake sqm_store_dscp
+add rule inet sqm_ctinfo_cake sqm_ctinfo_postrouting oifname $IFACE ct mark & 64 == 0 jump sqm_store_dscp
+add rule inet sqm_ctinfo_cake sqm_store_dscp ct mark set ip dscp
+add rule inet sqm_ctinfo_cake sqm_store_dscp ct mark set ip6 dscp
+add rule inet sqm_ctinfo_cake sqm_store_dscp ct mark set ct mark or 64 counter
+egress() {
+    SILENT=1 $TC qdisc del dev $IFACE root
+    $TC qdisc add dev $IFACE root $( get_stab_string ) cake \
+        bandwidth ${UPLINK}kbit $( get_cake_lla_string ) ${EGRESS_CAKE_OPTS} diffserv4 ${EQDISC_OPTS}
+    # restore saved DSCP on egress
+    $TC filter add dev $IFACE matchall action ctinfo dscp 63 64
+ingress() {
+    SILENT=1 $TC qdisc del dev $IFACE handle ffff: ingress
+    $TC qdisc add dev $IFACE handle ffff: ingress
+    SILENT=1 $TC qdisc del dev $DEV root
+    $TC qdisc add dev $DEV root $( get_stab_string ) cake \
+        bandwidth ${DOWNLINK}kbit $( get_cake_lla_string ) ${INGRESS_CAKE_OPTS} diffserv4 ${IQDISC_OPTS}
+    $IP link set dev $DEV up
+    # restore saved DSCP on ingress and 
+    # redirect all IP packets arriving in $IFACE to ifb
+    $TC filter add dev $IFACE parent ffff: matchall action ctinfo dscp 63 64 \
+       mirred egress redirect dev $DEV
+sqm_prepare_script() {
+    do_modules
+    verify_qdisc $QDISC "cake" || return 1
+    nft_setup
diff --git a/src/ctinfo_cake.qos.help b/src/ctinfo_cake.qos.help
new file mode 100644
index 0000000..5f25ebc
--- /dev/null
+++ b/src/ctinfo_cake.qos.help
@@ -0,0 +1,7 @@
+This uses the cake qdisc to manage traffic flows and uses the act_ctinfo 
+module to restore DSCP marks on ingress and egress traffic after an initial
+DSCP assignment process. DSCP can be assigned on individual clients or 
+managed through the sqm host's nftables ruleset. CAKE is configured with
+diffserv4 to allow bulk, besteffort, video and voice tins for classification.
+This script requires that cake is selected as qdisc, and forces its usage.
+See: http://www.bufferbloat.net/projects/codel/wiki/Cake for more information
diff --git a/src/defaults.sh b/src/defaults.sh
index 6298266..cf70d5e 100644
--- a/src/defaults.sh
+++ b/src/defaults.sh
@@ -38,6 +38,8 @@
 [ -z "$IP6TABLES_BINARY" ] && IP6TABLES_BINARY=$(command -v ip6tables)
 [ -z "$IP6TABLES_BINARY" ] && IP6TABLES_BINARY=$(command -v ip6tables-nft)
 [ -z "$IPTABLES_ARGS" ] && IPTABLES_ARGS="-w 1"
+[ -z "$NFT" ] && NFT=nft_wrapper
+[ -z "$NFT_BINARY" ] && NFT_BINARY=$(command -v nft)
 # Try modprobe first, fall back to insmod
diff --git a/src/functions.sh b/src/functions.sh
index 21efa26..6461507 100644
--- a/src/functions.sh
+++ b/src/functions.sh
@@ -190,6 +190,22 @@ verify_iptables()
     return $ret
+# wrapper to call nft to allow debug logging
+    cmd_wrapper nft ${NFT_BINARY} "$@"
+    local ret
+    ret=0
+    if [ -z "$NFT_BINARY"]; then
+        sqm_error "No nft binary found, please install 'nftables-json' or 'nftables-nojson' to use this script"
+        ret=1
+    fi
+    return $ret
 # wrapper to call tc to allow debug logging
     cmd_wrapper tc ${TC_BINARY} "$@"
1 Like

So why do this as a sepsrate script instead of pure defaults.sh helper functions that could ba added to both layer_cake.qos and simple.qos? But even if you do not agree, please put in a pull request for this to sqm-scripts main repository for your current version, if you are willing to share....

Interesting point. I'll think about how to achieve that before posting a draft PR.