|
IFACE="pppoe-wan" |
|
|
|
IPTABLES="iptables" |
|
IP6TABLES="ip6tables" |
|
|
|
dscp_rules() { |
|
# Define iptable rules that needs to be evaluated for new/unmarked connection |
|
# See: https://github.com/hisham2630/Ultimate-SQM-settings-Layer_cake-DSCP-marks-New-Script/blob/master/DSCP-ipv4.sh#L48 |
|
CHAIN="$1" |
|
|
|
iptmark() { |
|
$IPTABLES -t mangle -A ${CHAIN} "$@" |
|
$IP6TABLES -t mangle -A ${CHAIN} "$@" |
|
} |
|
|
|
iptmark4() { |
|
$IPTABLES -t mangle -A ${CHAIN} "$@" |
|
} |
|
|
|
iptmark6() { |
|
$IP6TABLES -t mangle -A ${CHAIN} "$@" |
|
} |
|
|
|
# Example How to limit video to 200ko/s in case you're on quota ( 4G/LTE ) |
|
# first clean all : |
|
#iptables -F forwarding_rule |
|
#iptables -A forwarding_rule -m set --match-set vidstream src -m hashlimit --hashlimit-mode srcip,dstip --hashlimit-name "videolimit" --hashlimit-above 200kb/s -j DROP |
|
#iptables -A forwarding_rule -s 64.18.0.0/20,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,173.194.0.0/16,207.126.144.0/20,209.85.128.0/17,216.58.208.0/20,216.239.32.0/19 -m hashlimit --hashlimit-mode srcip,dstip --hashlimit-name "videolimit" --hashlimit-above 200kb/s -j DROP |
|
|
|
## start by washing the dscp to CS0 |
|
iptmark -j DSCP --set-dscp 0 |
|
|
|
######################################## |
|
# Latency Sensitive (ping/ntp/gaming) |
|
######################################## |
|
# ICMP, to prioritize pings |
|
iptmark -p icmp -j DSCP --set-dscp-class CS5 -m comment --comment "ICMP-pings" |
|
|
|
# DNS traffic both udp and tcp |
|
iptmark -p udp -m multiport --port 53,853,5353,9953 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS udp" |
|
iptmark -p tcp -m multiport --port 53,853,5353,9953 -j DSCP --set-dscp-class CS5 -m comment --comment "DNS tcp" |
|
|
|
# NTP |
|
iptmark -p udp -m multiport --port 123 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP udp" |
|
iptmark -p tcp -m multiport --port 123,3333:3390,4444,12020,14444,24443 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP tcp" |
|
|
|
# High priority ipset (e.g. game servers) |
|
iptmark4 ! -p tcp -m set --match-set latsens4 dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset,udp |
|
iptmark6 ! -p tcp -m set --match-set latsens6 dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset,udp |
|
iptmark4 -p tcp -m set --match-set latsens4 dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset |
|
iptmark6 -p tcp -m set --match-set latsens6 dst -j DSCP --set-dscp-class CS5 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive ipset |
|
|
|
########## |
|
# Browsing |
|
########## |
|
# medium priority for browsing |
|
iptmark -p tcp -m multiport --ports 80,443,8080,8443 -j DSCP --set-dscp-class CS3 -m comment --comment "Browsing at CS3" |
|
|
|
################################# |
|
# Streaming Media (videos/audios) |
|
################################# |
|
# Known video streams sites like netflix |
|
iptmark4 -m set --match-set streaming4 dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset" |
|
iptmark6 -m set --match-set streaming6 dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset" |
|
|
|
# some iptv provider's use this port |
|
iptmark -p tcp -m multiport --ports 1935,9982 -j DSCP --set-dscp-class AF41 -m comment --comment "some iptv streaming service" |
|
|
|
# known usrcdn like google or akamai |
|
iptmark4 -m set --match-set usrcdn4 dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset" |
|
iptmark6 -m set --match-set usrcdn6 dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset" |
|
|
|
######################################### |
|
# Background Traffic (Bulk/file transfer) |
|
######################################### |
|
# bulk traffic ipset, like windows udates and steam updates/downloads |
|
iptmark4 -p tcp -m set --match-set bulk4 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset" |
|
iptmark6 -p tcp -m set --match-set bulk6 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset" |
|
iptmark4 -p udp -m set --match-set bulk4 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset" |
|
iptmark6 -p udp -m set --match-set bulk6 dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset" |
|
iptmark -p udp -m multiport --port 60001 -j DSCP --set-dscp-class CS1 -m comment --comment "bulk torrent port UDP" |
|
} |
|
|
|
dscp_dynamic_rules() { |
|
# Define iptable rules that needs to be evaluated for every packet |
|
CHAIN="$1" |
|
|
|
iptmark() { |
|
$IPTABLES -t mangle -A ${CHAIN} "$@" |
|
$IP6TABLES -t mangle -A ${CHAIN} "$@" |
|
} |
|
|
|
################################################### |
|
# Detect Bulk TCP traffic (downgrade file transfer) |
|
################################################### |
|
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS0 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS0 to CS1 for bulk tcp traffic" |
|
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS3 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS3 to CS1 for bulk tcp traffic" |
|
|
|
################################################# |
|
# Detect Realtime UDP (upgrade video/voice calls) |
|
################################################# |
|
# A robust 2 rules to detect realtime traffic |
|
|
|
# mark connections that go over 115 packets per second, not prioritized |
|
iptmark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 115/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp" |
|
|
|
# unmarked UDP streams with small packets get CS6 |
|
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,8443 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6" |
|
|
|
# large udp streams like video call get AF41 |
|
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,5353,80,443,8080,8443 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class AF41 -m comment --comment "large udp connection gets AF41" |
|
} |
|
|
|
dscp_ephemeral_rules() { |
|
# Define iptable rules that should not be saved to connmark (does not affect ingress) |
|
CHAIN="$1" |
|
|
|
iptmark() { |
|
$IPTABLES -t mangle -A ${CHAIN} "$@" |
|
$IP6TABLES -t mangle -A ${CHAIN} "$@" |
|
} |
|
|
|
################### |
|
# TCP SYN,ACK flows |
|
################### |
|
# Make sure ACK,SYN packets get priority (to avoid upload speed limiting our download speed) |
|
iptmark -p tcp --tcp-flags ALL ACK -m length --length :128 -j DSCP --set-dscp-class CS3 |
|
iptmark -p tcp --tcp-flags ALL SYN -m length --length :666 -j DSCP --set-dscp-class CS3 |
|
|
|
# Small packet is probably interactive or flow control |
|
iptmark -m dscp ! --dscp 24 -m dscp ! --dscp 18 -m dscp ! --dscp 34 -m dscp ! --dscp 40 -m dscp ! --dscp 48 -m length --length 0:500 -j DSCP --set-dscp-class CS3 |
|
|
|
# Small packet connections: multi purpose (don't harm since not maxed out) |
|
iptmark -m dscp ! --dscp 24 -m dscp ! --dscp 18 -m dscp ! --dscp 34 -m dscp ! --dscp 40 -m dscp ! --dscp 48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS3 |
|
} |
|
|
|
dscp_chains() { |
|
# Setup iptable chains to mark DSCP for QoS |
|
# See: https://forum.openwrt.org/t/ultimate-sqm-settings-layer-cake-dscp-marks/25832/698 |
|
|
|
iptmangle() { |
|
$IPTABLES -t mangle "$@" |
|
$IP6TABLES -t mangle "$@" |
|
} |
|
|
|
# Configure iptables chain to mark packets |
|
iptmangle -N QOS_MARK_${IFACE} > /dev/null 2>&1 |
|
iptmangle -F QOS_MARK_${IFACE} |
|
iptmangle -N QOS_MARK_NEW_${IFACE} > /dev/null 2>&1 |
|
iptmangle -F QOS_MARK_NEW_${IFACE} |
|
|
|
## check if POSTROUTING already exits then jumps to our tables if not, add them |
|
# Send unmarked connections to the marking chain |
|
# top 6 bits are DSCP, LSB is DSCP is valid flag |
|
#iptmangle -L PREROUTING -n | grep QOS_MARK_${IFACE} > /dev/null || iptmangle -A PREROUTING -i $IFACE -m connmark --mark 0x00000000/0x01000000 -j QOS_MARK_${IFACE} |
|
#iptmangle -L POSTROUTING -n | grep QOS_MARK_${IFACE} > /dev/null || iptmangle -A POSTROUTING -o $IFACE -m connmark --mark 0x00000000/0x01000000 -j QOS_MARK_${IFACE} |
|
|
|
# You could just send every packet to the marking chain and update the stored DSCP for every packet |
|
# which should work for dynamic type marking but at a cpu cost |
|
iptmangle -L POSTROUTING -n | grep QOS_MARK_${IFACE} > /dev/null || iptmangle -A POSTROUTING -o $IFACE -j QOS_MARK_${IFACE} |
|
|
|
# Set initial DSCP of new/unmarked connections |
|
iptmangle -A QOS_MARK_${IFACE} -m connmark --mark 0x00000000/0x01000000 -j QOS_MARK_NEW_${IFACE} |
|
dscp_rules QOS_MARK_NEW_${IFACE} |
|
|
|
# Upgrade/Downgrade DSCP of existing connections |
|
#dscp_dynamic_rules QOS_MARK_${IFACE} |
|
|
|
# Save the DSCP to the connmark using savedscp |
|
iptmangle -A QOS_MARK_${IFACE} -j CONNMARK --set-dscpmark 0xfc000000/0x01000000 |
|
|
|
# Change DSCP of egress packets (without saving dscp to connmark) |
|
dscp_ephemeral_rules QOS_MARK_${IFACE} |
|
} |
|
|
|
dscp_chains |
@neilsan1366 Do you mean pulling the 5 layer cake scripts from there and using it here?