Hi!
Im trying to set dscp flags for some packets and make cake use those.
Since sqm-scripts use ifb setting dscp flags on ingress will not work.
So i modded the script to use imq instead and also added imq back to the kernel/iptables.
Currently im using this approach.
###################################################################
# Create DSCP Marking Groups for
# Cakes DiffServ4 Implementation
# Since we issue ACCEPT after Match
# make sure DSCP Rules are issued last
###################################################################
$IPT -t mangle -N sqm
$IPT -t mangle -N dscp_cs0
$IPT -t mangle -N dscp_cs1
$IPT -t mangle -N dscp_cs3
$IPT -t mangle -N dscp_cs7
# Only set DSCP Flags on Packets that are going to be forwarded to the internet
$IPT -t mangle -A FORWARD -i br-lan -o eth1 -j sqm
$IPT -t mangle -A FORWARD -i br-isolated -o eth1 -j sqm
# Cant use FORWARD on ingress because of imq/cake
$IPT -t mangle -A PREROUTING -i eth1 -j sqm
# Setup dscp set flag chains
$IPT -t mangle -A dscp_cs0 -j DSCP --set-dscp-class CS0 -m comment --comment "CS0 Best Effort"
$IPT -t mangle -A dscp_cs0 -j ACCEPT
$IPT -t mangle -A dscp_cs1 -j DSCP --set-dscp-class CS1 -m comment --comment "CS1 Background"
$IPT -t mangle -A dscp_cs1 -j ACCEPT
$IPT -t mangle -A dscp_cs3 -j DSCP --set-dscp-class CS3 -m comment --comment "CS3 Streaming"
$IPT -t mangle -A dscp_cs3 -j ACCEPT
$IPT -t mangle -A dscp_cs7 -j DSCP --set-dscp-class CS7 -m comment --comment "CS7 Latency Sensitive"
$IPT -t mangle -A dscp_cs7 -j ACCEPT
###################################################################
# Latency Sensitive (Voice Tin)
###################################################################
# Generic
$IPT -t mangle -A sqm -m ndpi --NTP -j dscp_cs7
# Gaming
$IPT -t mangle -A sqm -p tcp -m conntrack --ctorigsrc 10.0.1.60 -m multiport ! --ports 80,443 -j dscp_cs7 -m comment --comment "PS4"
$IPT -t mangle -A sqm -p udp -m conntrack --ctorigsrc 10.0.1.60 -j dscp_cs7 -m comment --comment "PS4"
$IPT -t mangle -A sqm -p udp -m multiport --ports 5000:5500 -j dscp_cs7 -m comment --comment "Leauge of Legends"
$IPT -t mangle -A sqm -m ndpi --CSGO -j dscp_cs7
$IPT -t mangle -A sqm -m ndpi --WorldOfWarcraft -j dscp_cs7
# Voice
$IPT -t mangle -A sqm -m ndpi --TeamSpeak -j dscp_cs7
$IPT -t mangle -A sqm -m ndpi --WhatsAppVoice -j dscp_cs7
$IPT -t mangle -A sqm -m ndpi --SIP -j dscp_cs7
###################################################################
# Streaming Media (Video Tin)
###################################################################
$IPT -t mangle -A sqm -m ndpi --YouTube -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --NetFlix -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --AmazonVideo -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --Vevo -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --Twitch -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --GoogleHangout -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --Spotify -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --Deezer -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --SoundCloud -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --LastFM -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --Skype -j dscp_cs3
# Remote Administration
$IPT -t mangle -A sqm -m ndpi --TeamViewer -j dscp_cs3
$IPT -t mangle -A sqm -m ndpi --VNC -j dscp_cs3
###################################################################
# Background Traffic (Bulk Tin)
###################################################################
# Mail
$IPT -t mangle -A sqm -m ndpi --SMTP -j dscp_cs1 # Maybe remove, since i block all insecure SMTP traffic anyway (used for spam)
$IPT -t mangle -A sqm -m ndpi --SMTPS -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --IMAP -j dscp_cs1 # Maybe also remove and block instead since insecure
$IPT -t mangle -A sqm -m ndpi --IMAPS -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --POP3 -j dscp_cs1 # Maybe also remove and block instead since insecure
$IPT -t mangle -A sqm -m ndpi --POPS -j dscp_cs1
# P2P
$IPT -t mangle -A sqm -m ndpi --BitTorrent -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --eDonkey -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --Thunder -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --AppleJuice -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --Soulseek -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --Gnutella -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --DirectConnect -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --FastTrack -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --Stealthnet -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --Filetopia -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --Usenet -j dscp_cs1
# Cloud
$IPT -t mangle -A sqm -m ndpi --Dropbox -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --GoogleDrive -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --MS_OneDrive -j dscp_cs1
# Other
$IPT -t mangle -A sqm -m ndpi --Steam -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --PlayStore -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --GoogleDocs -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --YouTubeUpload -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --WhatsAppFiles -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --FTP_DATA -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --Git -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --RSYNC -j dscp_cs1
$IPT -t mangle -A sqm -m ndpi --WindowsUpdate -j dscp_cs1
# Consider "large" HTTP/S traffic (out/in) as Bulk
# Need some better solution for this
# But should work for most use cases
$IPT -t mangle -A sqm -p tcp -m connbytes --connbytes 10485760 --connbytes-dir reply --connbytes-mode bytes -m multiport --sports 80,443 -j dscp_cs1
$IPT -t mangle -A sqm -p tcp -m connbytes --connbytes 2097152 --connbytes-dir original --connbytes-mode bytes -m multiport --dports 80,443 -j dscp_cs1
###################################################################
# Best Effort (Best Effort Tin (Default))
###################################################################
# Since we dont know if LAN Users are messing around with DSCP Flags
# And my ISP is doing weird Stuff with DSCP Flags too
# Simply default all Traffic to BE and overwrite later on
$IPT -t mangle -A sqm -j dscp_cs0 -m comment --comment "CS0 Best Effort (Default)"
It works but was thinking about something better.
One problem is that it has to match packets/connection on both sides.
Maybe something like, only do the classification on egress side and mark those packets/connections with a connmark.
And use that mark on ingress side.
That should reduce cpu load?
I have somewhat working solution which utilize this.
Do i have to use conntrack with ctstate (NEW,ESTABLISHED,RELATED) when using connmark?
Someone has a better idea?