summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network/ruleset.nft
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-03-10 18:19:26 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-03-10 18:19:26 +0100
commite275caddb607b8ff37569be66f1bf44303919502 (patch)
tree760068f7662115f44ef2b46fe89405078761370f /hosts/vidhar/network/ruleset.nft
parent4c0e9c5d6d93a183ae60e711be3eb041dcc710a3 (diff)
downloadnixos-e275caddb607b8ff37569be66f1bf44303919502.tar
nixos-e275caddb607b8ff37569be66f1bf44303919502.tar.gz
nixos-e275caddb607b8ff37569be66f1bf44303919502.tar.bz2
nixos-e275caddb607b8ff37569be66f1bf44303919502.tar.xz
nixos-e275caddb607b8ff37569be66f1bf44303919502.zip
vidhar: dscp
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r--hosts/vidhar/network/ruleset.nft183
1 files changed, 183 insertions, 0 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 833013e9..30db0ac3 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -270,3 +270,186 @@ table ip mss_clamp {
270 oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu 270 oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu
271 } 271 }
272} 272}
273
274## Masks for extracting/storing data in the conntrack mark
275# define ct_dscp = 0x0000003f
276# define ct_dyn = 0x00000080
277# define ct_dyn_static_dscp = 0x000000ff
278define ct_static = 0x00000040
279define ct_unused = 0xffffff80
280# define ct_unused_dscp = 0xffffff3f
281# define ct_unused_dyn = 0xffffff80
282
283## DSCP classification values
284define cs0 = 0
285define lephb = 1
286define cs1 = 8
287define af11 = 10
288define af12 = 12
289define af13 = 14
290define cs2 = 16
291define af21 = 18
292define af22 = 20
293define af23 = 22
294define cs3 = 24
295define af31 = 26
296define af32 = 28
297define af33 = 30
298define cs4 = 32
299define af41 = 34
300define af42 = 36
301define af43 = 38
302define cs5 = 40
303define va = 44
304define ef = 46
305define cs6 = 48
306define cs7 = 56
307
308table inet dscpclassify {
309 ## Set conntrack DSCP mark without modifying unused bits
310 chain ct_set_cs0 {
311 ct mark set ct mark and $ct_unused or $cs0
312 }
313
314 chain ct_set_lephb {
315 ct mark set ct mark and $ct_unused or $lephb or $ct_static
316 }
317
318 chain ct_set_cs1 {
319 ct mark set ct mark and $ct_unused or $cs1 or $ct_static
320 }
321
322 chain ct_set_af11 {
323 ct mark set ct mark and $ct_unused or $af11 or $ct_static
324 }
325
326 chain ct_set_af12 {
327 ct mark set ct mark and $ct_unused or $af12 or $ct_static
328 }
329
330 chain ct_set_af13 {
331 ct mark set ct mark and $ct_unused or $af13 or $ct_static
332 }
333
334 chain ct_set_cs2 {
335 ct mark set ct mark and $ct_unused or $cs2 or $ct_static
336 }
337
338 chain ct_set_af21 {
339 ct mark set ct mark and $ct_unused or $af21 or $ct_static
340 }
341
342 chain ct_set_af22 {
343 ct mark set ct mark and $ct_unused or $af22 or $ct_static
344 }
345
346 chain ct_set_af23 {
347 ct mark set ct mark and $ct_unused or $af23 or $ct_static
348 }
349
350 chain ct_set_cs3 {
351 ct mark set ct mark and $ct_unused or $cs3 or $ct_static
352 }
353
354 chain ct_set_af31 {
355 ct mark set ct mark and $ct_unused or $af31 or $ct_static
356 }
357
358 chain ct_set_af32 {
359 ct mark set ct mark and $ct_unused or $af32 or $ct_static
360 }
361
362 chain ct_set_af33 {
363 ct mark set ct mark and $ct_unused or $af33 or $ct_static
364 }
365
366 chain ct_set_cs4 {
367 ct mark set ct mark and $ct_unused or $cs4 or $ct_static
368 }
369
370 chain ct_set_af41 {
371 ct mark set ct mark and $ct_unused or $af41 or $ct_static
372 }
373
374 chain ct_set_af42 {
375 ct mark set ct mark and $ct_unused or $af42 or $ct_static
376 }
377
378 chain ct_set_af43 {
379 ct mark set ct mark and $ct_unused or $af43 or $ct_static
380 }
381
382 chain ct_set_cs5 {
383 ct mark set ct mark and $ct_unused or $cs5 or $ct_static
384 }
385
386 chain ct_set_va {
387 ct mark set ct mark and $ct_unused or $va or $ct_static
388 }
389
390 chain ct_set_ef {
391 ct mark set ct mark and $ct_unused or $ef or $ct_static
392 }
393
394 chain ct_set_cs6 {
395 ct mark set ct mark and $ct_unused or $cs6 or $ct_static
396 }
397
398 chain ct_set_cs7 {
399 ct mark set ct mark and $ct_unused or $cs7 or $ct_static
400 }
401
402 chain postrouting {
403 type filter hook postrouting priority filter + 1; policy accept
404
405 oifname != dsl return
406
407 ip dscp cs0 goto ct_set_cs0
408 ip dscp lephb goto ct_set_lephb
409 ip dscp cs1 goto ct_set_cs1
410 ip dscp af11 goto ct_set_af11
411 ip dscp af12 goto ct_set_af12
412 ip dscp af13 goto ct_set_af13
413 ip dscp cs2 goto ct_set_cs2
414 ip dscp af21 goto ct_set_af21
415 ip dscp af22 goto ct_set_af22
416 ip dscp af23 goto ct_set_af23
417 ip dscp cs3 goto ct_set_cs3
418 ip dscp af31 goto ct_set_af31
419 ip dscp af32 goto ct_set_af32
420 ip dscp af33 goto ct_set_af33
421 ip dscp cs4 goto ct_set_cs4
422 ip dscp af41 goto ct_set_af41
423 ip dscp af42 goto ct_set_af42
424 ip dscp af43 goto ct_set_af43
425 ip dscp cs5 goto ct_set_cs5
426 ip dscp va goto ct_set_va
427 ip dscp ef goto ct_set_ef
428 ip dscp cs6 goto ct_set_cs6
429 ip dscp cs7 goto ct_set_cs7
430
431 ip6 dscp cs0 goto ct_set_cs0
432 ip6 dscp lephb goto ct_set_lephb
433 ip6 dscp cs1 goto ct_set_cs1
434 ip6 dscp af11 goto ct_set_af11
435 ip6 dscp af12 goto ct_set_af12
436 ip6 dscp af13 goto ct_set_af13
437 ip6 dscp cs2 goto ct_set_cs2
438 ip6 dscp af21 goto ct_set_af21
439 ip6 dscp af22 goto ct_set_af22
440 ip6 dscp af23 goto ct_set_af23
441 ip6 dscp cs3 goto ct_set_cs3
442 ip6 dscp af31 goto ct_set_af31
443 ip6 dscp af32 goto ct_set_af32
444 ip6 dscp af33 goto ct_set_af33
445 ip6 dscp cs4 goto ct_set_cs4
446 ip6 dscp af41 goto ct_set_af41
447 ip6 dscp af42 goto ct_set_af42
448 ip6 dscp af43 goto ct_set_af43
449 ip6 dscp cs5 goto ct_set_cs5
450 ip6 dscp va goto ct_set_va
451 ip6 dscp ef goto ct_set_ef
452 ip6 dscp cs6 goto ct_set_cs6
453 ip6 dscp cs7 goto ct_set_cs7
454 }
455}