Created
September 24, 2018 10:20
-
-
Save gaoyifan/6c4457ff78184a8f5204ee5d6d58bddd to your computer and use it in GitHub Desktop.
Traffic control mark with nftables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/sbin/nft -f | |
| chain tc-wan { | |
| # check default priority | |
| mark & 0xff0 == 0x130 ip dscp set af22 return | |
| # real-time application | |
| ## Dota2 | |
| udp dport 27000-27200 \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af41 return | |
| ## ICMP | |
| ip protocol icmp \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af41 return | |
| ## TCP low-flow | |
| meter wan-11-tcp { tcp sport . ip saddr timeout 10s limit rate 8 kbytes/second burst 16 kbytes } \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af42 return | |
| ## UDP low-flow | |
| meter wan-11-udp { udp sport . ip saddr timeout 10s limit rate 8 kbytes/second burst 16 kbytes } \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af42 return | |
| # TCP midium-flow | |
| meter wan-12 { tcp sport . ip saddr timeout 3s limit rate 64 kbytes/second burst 512 kbytes } \ | |
| meta mark set mark & 0xfffff00f ^ 0x120 ip dscp set af31 return | |
| # TCP high-flow & UDP {midium,high}-flow (default) | |
| meta mark set mark & 0xfffff00f ^ 0x130 ip dscp set af22 | |
| } | |
| chain tc-lan { | |
| # check default priority | |
| mark & 0xff0 == 0x130 ip dscp set af23 return | |
| # internal traffic | |
| ip saddr $lan_subnet \ | |
| meta mark set mark & 0xfffff00f ^ 0x200 ip dscp set af21 return | |
| # real-time application | |
| ## Dota2 | |
| udp sport 27000-27200 \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af41 return | |
| ## ICMP | |
| ip protocol icmp \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af41 return | |
| ## TCP low-flow | |
| mark & 0xff0 != 0x120 \ | |
| meter lan-11-tcp { tcp dport . ip daddr timeout 10s limit rate 16 kbytes/second burst 32 kbytes } \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af42 return | |
| ## UDP low-flow | |
| mark & 0xff0 != 0x120 \ | |
| meter lan-11-udp { udp dport . ip daddr timeout 10s limit rate 16 kbytes/second burst 32 kbytes } \ | |
| meta mark set mark & 0xfffff00f ^ 0x110 ip dscp set af42 return | |
| # TCP midium-flow | |
| meter lan-12 { tcp dport . ip daddr timeout 3s limit rate 512 kbytes/second burst 2 mbytes } \ | |
| meta mark set mark & 0xfffff00f ^ 0x120 ip dscp set af31 return | |
| # TCP high-flow & UDP {midium,high}-flow (default) | |
| meta mark set mark & 0xfffff00f ^ 0x130 ip dscp set af23 | |
| } |
I believe nftables has a fundamental limitation when it comes to traffic shaping, specifically the lack of a queueing mechanism, like RED. While nftables can handle basic rate limiting, it falls short when it comes to advanced limitations. In my opinion, using tc for rate limiting is both more clear and more powerful than relying on nftables.
However, I still encourage you to learn nftables, as it can work in conjunction with tc to tackle more complex scenarios.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for the response. I guess I'll have to make do what the nftables wiki documentation has provided. What I'm struggling to do right now is implement the ingress rate limit in the
laninterface. It can be done usingtc filterandifbinterface but as much as possible I'd like to use nftables implementation for future-proofing.