Skip to content
/ dscpclassify Public
forked from jeverley/dscpclassify

nftables ruleset for OpenWrt fw4 for dynamically setting DSCP packet marks

6 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ldir-EDB0/dscpclassify

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
etc
etc
 
 
usr/lib/sqm
usr/lib/sqm
 
 
README.md
README.md
 
 

Repository files navigation

nft-dscpclassify

An nftables based service for applying DSCP classifications to connections, compatible with OpenWrt's firewall4 for dynamically setting DSCP packet marks (this only works in OpenWrt 22.03 and above).

This should be used in conjunction with layer-cake SQM queue with ctinfo configured to restore DSCP on the device ingress. The nft-dscpclassify rules use the last 8 bits of the conntrack mark (0x000000ff).

image

To install the dscpclassify service via command line you can use the following:

mkdir -p "/etc/dscpclassify.d"
[ -f "/etc/config/dscpclassify" ] && mv /etc/config/dscpclassify /etc/config/dscpclassify.bak
rm -f /etc/dscpclassify.d/dscpclassify.nft
rm -f /etc/init.d/dscpclassify
wget https://raw.githubusercontent.com/jeverley/nft-dscpclassify/main/etc/config/dscpclassify -P /etc/config
wget https://raw.githubusercontent.com/jeverley/nft-dscpclassify/main/etc/dscpclassify.d/dscpclassify.nft -P /etc/dscpclassify.d
wget https://raw.githubusercontent.com/jeverley/nft-dscpclassify/main/etc/init.d/dscpclassify -P /etc/init.d
chmod +x "/etc/init.d/dscpclassify"
/etc/init.d/dscpclassify enable
/etc/init.d/dscpclassify start

The dscpclassify user rule syntax in '/etc/config/dscpclassify' follows the same syntax as OpenWrt firewall rules, with a 'dscp' option instead of 'target'

https://openwrt.org/docs/guide-user/firewall/firewall_configuration

An working default configuration is provided with the service.

Ingress (download) DSCP marking requires the SQM queue setup script 'layer_cake_ct.qos' and the package 'kmod-sched-ctinfo'.

To install the layer_cake_ct qdisc via command line you can use the following:

opkg update
opkg install kmod-sched-ctinfo
rm -f /usr/lib/sqm/layer_cake_ct.qos
rm -f /usr/lib/sqm/layer_cake_ct.qos.help
wget https://raw.githubusercontent.com/jeverley/nft-dscpclassify/main/usr/lib/sqm/layer_cake_ct.qos -P /usr/lib/sqm
wget https://raw.githubusercontent.com/jeverley/nft-dscpclassify/main/usr/lib/sqm/layer_cake_ct.qos.help -P /usr/lib/sqm

Tested working SQM config for the script:

Config parameter Value
qdisc_advanced '1'
squash_dscp '0'
squash_ingress '0'
qdisc_really_really_advanced '1'
iqdisc_opts 'nat dual-dsthost ingress diffserv4'
eqdisc_opts 'nat dual-srchost ack-filter diffserv4'
script 'layer_cake_ct.qos'

About

nftables ruleset for OpenWrt fw4 for dynamically setting DSCP packet marks

Resources

Readme
Activity

Stars

6 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 95.1%
  • Makefile 4.9%