├── RFC 8325 - WiFi QoS Mappings.png ├── RFC 8325 - Mapping Diffserv to IEEE 802.11.png ├── RFC 7561 - Mapping Quality of Service (QoS) Procedures of Proxy Mobile IPv6 (PMIPv6) and WLAN.png ├── README.md └── cake.sh /RFC 8325 - WiFi QoS Mappings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Last-times/CAKE-QoS-Script-OpenWrt/HEAD/RFC 8325 - WiFi QoS Mappings.png -------------------------------------------------------------------------------- /RFC 8325 - Mapping Diffserv to IEEE 802.11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Last-times/CAKE-QoS-Script-OpenWrt/HEAD/RFC 8325 - Mapping Diffserv to IEEE 802.11.png -------------------------------------------------------------------------------- /RFC 7561 - Mapping Quality of Service (QoS) Procedures of Proxy Mobile IPv6 (PMIPv6) and WLAN.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Last-times/CAKE-QoS-Script-OpenWrt/HEAD/RFC 7561 - Mapping Quality of Service (QoS) Procedures of Proxy Mobile IPv6 (PMIPv6) and WLAN.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CAKE QoS Script (OpenWrt) 2 | 3 | This is the script that I made months ago (to self-learning) and until today I have time to share it. 4 | 5 | ## Quick Overview 6 | 1. The script launches the CAKE qdisc (like SQM would do), and **you do not need SQM at all**. 7 | 2. The script uses the **veth method** on the ingress side to make the **DSCP marking** work and fix this problem: 8 | 9 | > With **dual-dsthost** enabled, a single host with many tcp sessions (like when torrenting) is prevented from hogging all the bandwidth, **but if you are actually using that host**, the torrent will still hog that host's bandwidth and to fix that problem you need **QoS** using **DSCP marking**, so that the torrent traffic and other such hogs goes into the "**bulk class**", then that host will see a **big improvement** in all other traffic types. 10 | 11 | 3. It has rules to prioritize **non-bulk** *unmarked traffic* like **gaming** and **VoIP**, that means you don't need to add **game ports**, but if you want you can also add **game ports** and static IP of **game consoles** to prioritize that traffic (although it is not necessary). 12 | 4. It has rules to give high priority to known **Video conferencing**, **VoIP** and **VoWiFi** ports. 13 | 5. Easily change the **default OpenWrt settings** like `default qdisc`, `TCP congestion control` and `ECN`. 14 | 6. **`irqbalance`** and **`Packet Steering`** options to equally distribute the load of packet processing over all available cores and probably increase performance. 15 | 7. It has **`Init Script`** so that from the LuCI web interface (**`System -> Startup`**) you can Enable, Disable, Start, Restart and Stop the script. 16 | 8. It has **`Hotplug`** to automatically reload the script. 17 | 18 | ## Pre-requisites 19 | To use this script, you need to install these packages: 20 | * tc-tiny 21 | * kmod-sched-cake 22 | * kmod-veth 23 | * kmod-tcp-bbr 24 | * irqbalance 25 | * htop (Optional) 26 | 27 | Copy and paste this into your SSH client: 28 | ``` 29 | opkg update && opkg install tc-tiny kmod-sched-cake kmod-veth kmod-tcp-bbr irqbalance 30 | ``` 31 | 32 | ## Install 33 | Copy and paste this into your SSH client: 34 | ``` 35 | rm /root/cake.sh; rm /etc/init.d/cake; rm /etc/hotplug.d/iface/99-cake; rm /etc/nftables.d/*-rules.nft; wget -O /root/cake.sh "https://raw.githubusercontent.com/Last-times/CAKE-QoS-Script-OpenWrt/main/cake.sh"; chmod 755 /root/cake.sh 36 | ``` 37 | The **`cake.sh`** script is located in the **`/root/`** folder on the router and you have to edit this: 38 | 1. Change the **CAKE settings** according to your connection type and also change the other settings (like rules, ports, IP address, irqbalance, etc.). 39 | 2. You can delete the **ports** and **IP address** from the script, because are just examples. 40 | 3. Once you've finished editing the script, use this command to run the script: 41 | ``` 42 | ./cake.sh 43 | ``` 44 | 45 | Or download the script to edit it with the **notepad** and then place the edited script into the **`/root/`** folder on the router, then change the permissions of the script with this command **`chmod 755 /root/cake.sh`** and run the script with the command above **`./cake.sh`** 46 | * **GitHub**: [Download the script](https://github.com/Last-times/CAKE-QoS-Script-OpenWrt/archive/refs/heads/main.zip) 47 | 48 | ## CLI 49 | Command to run the script: 50 | ``` 51 | ./cake.sh 52 | ``` 53 | 54 | Others important commands: 55 | ``` 56 | # To check if the DSCP marking is working 57 | tc -s qdisc 58 | 59 | 60 | # To check your CAKE settings 61 | tc qdisc | grep cake 62 | 63 | 64 | # To check the veth devices 65 | ip link show 66 | 67 | 68 | # To check the nftables rules 69 | nft list ruleset 70 | 71 | 72 | # To check if changed the default OpenWrt settings 73 | sysctl net.core.default_qdisc 74 | sysctl net.ipv4.tcp_congestion_control 75 | sysctl net.ipv4.tcp_ecn 76 | 77 | 78 | # To check if irqbalance or packet steering are enabled or disabled 79 | uci show irqbalance.irqbalance.enabled 80 | uci show network.globals.packet_steering 81 | ``` 82 | 83 | ## Tip 84 | * Don't use **`Software flow offloading`**, it will break the **rules** and **CAKE**. 85 | 86 | ## Uninstall/Remove 87 | Copy and paste this into your SSH client: 88 | ``` 89 | /etc/init.d/cake stop; rm /root/cake.sh; rm /etc/init.d/cake; rm /etc/hotplug.d/iface/99-cake; rm /etc/nftables.d/*-rules.nft; sed -i "/default_qdisc/d; /tcp_congestion_control/d; /tcp_ecn/d" /etc/sysctl.conf; uci set dhcp.odhcpd.loglevel="4"; uci set irqbalance.irqbalance.enabled="0"; uci del network.globals.packet_steering; uci commit && reload_config 90 | ``` 91 | 92 | ## DSCP Information 93 | * [Differentiated Services Field Codepoints (DSCP)](https://www.iana.org/assignments/dscp-registry/dscp-registry.xhtml#dscp-registry-2) 94 | * [RFC 8325 - Mapping Diffserv to IEEE 802.11](https://datatracker.ietf.org/doc/html/rfc8325#section-4) 95 | * [RFC 8325 - WiFi QoS Mappings](https://mrncciew.com/2021/09/14/rfc-8325-wifi-qos-mappings/) 96 | * [RFC 7561 - Mapping Quality of Service (QoS) Procedures of Proxy Mobile IPv6 (PMIPv6) and WLAN](https://datatracker.ietf.org/doc/html/rfc7561#section-4.2) 97 | 98 | ![RFC 8325 - Mapping Diffserv to IEEE 802.11](https://raw.githubusercontent.com/Last-times/CAKE-QoS-Script-OpenWrt/main/RFC%208325%20-%20Mapping%20Diffserv%20to%20IEEE%20802.11.png) 99 | 100 | ![RFC 8325 - WiFi QoS Mappings](https://raw.githubusercontent.com/Last-times/CAKE-QoS-Script-OpenWrt/main/RFC%208325%20-%20WiFi%20QoS%20Mappings.png) 101 | 102 | ![RFC 7561 - Mapping Quality of Service (QoS) Procedures of Proxy Mobile IPv6 (PMIPv6) and WLAN](https://raw.githubusercontent.com/Last-times/CAKE-QoS-Script-OpenWrt/main/RFC%207561%20-%20Mapping%20Quality%20of%20Service%20(QoS)%20Procedures%20of%20Proxy%20Mobile%20IPv6%20(PMIPv6)%20and%20WLAN.png) 103 | -------------------------------------------------------------------------------- /cake.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ############################################################ 3 | 4 | 5 | ### Interfaces ### 6 | 7 | ## Go to "Network -> Interfaces" and write the name of the "device" used for the 'WAN' interface. 8 | WAN="wan" # Example: eth0, eth0.2, eth1, eth1.2, wan, etc. 9 | 10 | 11 | ###################################################################################################################### 12 | 13 | 14 | ### CAKE settings ### 15 | 16 | BANDWIDTH_DOWN="340" # Change this to about 80-95% of your download speed (in megabits). 17 | BANDWIDTH_UP="50" # Change this to about 80-95% of your upload speed (in megabits). 18 | # Do a Speed Test: https://www.speedtest.net/ 19 | # Not recommendable: Write "0" in "BANDWIDTH_DOWN" or "BANDWIDTH_UP" to use 'CAKE' with no limit on the bandwidth ('unlimited' parameter). 20 | # Not recommendable: Don't write anything in "BANDWIDTH_DOWN" or "BANDWIDTH_UP" to disable 'shaping' on ingress or egress. 21 | 22 | AUTORATE_INGRESS="no" # Write: "yes" | "no" 23 | # Enable CAKE automatic rate estimation for ingress. 24 | # For it to work you need to write your bandwidth in "BANDWIDTH_DOWN" to specify an initial estimate. 25 | # This is most likely to be useful with "cellular links", which tend to change quality randomly. 26 | # If you don't have "cellular link", you should never use this option. 27 | 28 | ## Make sure you set these parameters correctly for your connection type or don't write any value and use a presets or keywords below. 29 | OVERHEAD="" # Write values between "-64" and "256" 30 | MPU="" # Write values between "0" and "256" 31 | LINK_COMPENSATION="" # Write: "atm" | "ptm" | "noatm" 32 | # These values overwrite the presets or keyboards below. 33 | # Read: https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm#configuring_sqm 34 | # Read: https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm-details#sqmlink_layer_adaptation_tab 35 | 36 | ## Only use these presets or keywords if you don't write a value above in "OVERHEAD", "MPU" and "LINK_COMPENSATION". 37 | COMMON_LINK_PRESETS="conservative" # Write the keyword below: 38 | # "raw" Failsafe (Turns off all overhead compensation) 39 | # "conservative" Failsafe (overhead 48 - atm) 40 | # "ethernet" Ethernet (overhead 38 - mpu 84 - noatm) 41 | # "docsis" Cable Modem (overhead 18 - mpu 64 - noatm) 42 | # "pppoe-ptm" VDSL2 (overhead 30 - ptm) 43 | # "bridged-ptm" VDSL2 (overhead 22 - ptm) 44 | # "pppoa-vcmux" ADSL (overhead 10 - atm) 45 | # "pppoa-llc" ADSL (overhead 14 - atm) 46 | # "pppoe-vcmux" ADSL (overhead 32 - atm) 47 | # "pppoe-llcsnap" ADSL (overhead 40 - atm) 48 | # "bridged-vcmux" ADSL (overhead 24 - atm) 49 | # "bridged-llcsnap" ADSL (overhead 32 - atm) 50 | # "ipoa-vcmux" ADSL (overhead 8 - atm) 51 | # "ipoa-llcsnap" ADSL (overhead 16 - atm) 52 | # If you are unsure, then write "conservative" as a general safe value. 53 | # These keywords have been provided to represent a number of common link technologies. 54 | ###################################################################################### 55 | # For true ATM links (ADSL), one often can measure the real per-packet overhead empirically, 56 | # see: https://github.com/moeller0/ATM_overhead_detector for further information how to do that. 57 | 58 | ## This keyword is not for standalone use, but act as a modifier to some previous presets or keywords. 59 | ETHER_VLAN_KEYWORD="" # Write values between "1" and "3" or don't write any value. 60 | # In addition to those previous presets or keywords it is common to have VLAN tags (4 extra bytes) or PPPoE encapsulation (8 extra bytes). 61 | # "1" Adds '4 bytes' to the overhead (ether-vlan) 62 | # "2" Adds '8 bytes' to the overhead (ether-vlan ether-vlan) 63 | # "3" Adds '12 bytes' to the overhead (ether-vlan ether-vlan ether-vlan) 64 | # This keyword "ether-vlan" may be repeated as necessary in 'EXTRA PARAMETERS'. 65 | # Read: https://man7.org/linux/man-pages/man8/tc-cake.8.html#OVERHEAD_COMPENSATION_PARAMETERS 66 | 67 | PRIORITY_QUEUE_INGRESS="diffserv4" # Write: "besteffort" | "diffserv3" | "diffserv4" | "diffserv8" 68 | PRIORITY_QUEUE_EGRESS="diffserv4" # Write: "besteffort" | "diffserv3" | "diffserv4" | "diffserv8" 69 | # CAKE can divide traffic into tins based on the Diffserv field. 70 | # "besteffort" only has 'one tin' or priority tier. 71 | # "diffserv3" has '3 tins' or different priority tiers. 72 | # "diffserv4" has '4 tins' or different priority tiers. <- Recommended 73 | # "diffserv8" has '8 tins' or different priority tiers. 74 | 75 | HOST_ISOLATION="yes" # Write: "yes" | "no" 76 | # Host Isolation or 'dual-dsthost' (ingress) and 'dual-srchost' (egress), prevents a single host/client 77 | # that has multiple connections (like when torrenting) from hogging all the bandwidth 78 | # and provides better traffic management when multiple hosts/clients are using the internet at the same time. 79 | 80 | NAT_INGRESS="no" # Write: "yes" | "no" 81 | NAT_EGRESS="yes" # Write: "yes" | "no" 82 | # Perform a NAT lookup before applying 'host isolation' rules to improve fairness between hosts "inside" the NAT. 83 | # Don't use "nat" parameter on 'ingress' when use "veth method" or 'host isolation' stops working. 84 | ## Recommendation: Don't use "nat" on 'ingress' and only use "nat" on 'egress'. 85 | 86 | WASH_INGRESS="no" # Write: "yes" | "no" 87 | WASH_EGRESS="yes" # Write: "yes" | "no" 88 | # "wash" only clears all DSCP marks after the traffic has been tinned. 89 | # Don't wash incoming (ingress) DSCP marks, because also wash the custom DSCP marking from the script and the script already washes the ISP marks. 90 | # Wash outgoing (egress) DSCP marking to ISP, because may be mis-marked from ISP perspective. 91 | ## Recommendation: Don't use "wash" on ingress so that the "Wi-Fi Multimedia (WMM) QoS" can make use of the custom DSCP marking and just use "wash" on egress. 92 | 93 | INGRESS_MODE="yes" # Write: "yes" | "no" 94 | # Enabling "ingress mode" ('ingress' parameter) will tune the AQM to always keep at least two packets queued *for each flow*. 95 | # Basically will drop and/or delay packets in a way that the rate of packets leaving the shaper is smaller or equal to the configured shaper-rate. 96 | # This leads to slightly more aggressive dropping, but this also ameliorates one issue we have with post-bottleneck shaping, 97 | # namely the inherent dependency of the required bandwidth "sacrifice" with the expected number of concurrent bulk flows. 98 | # Thus, being more lenient and keeping a minimum number of packets queued will improve throughput in cases 99 | # where the number of active flows are so large that they saturate the bottleneck even at their minimum window size. 100 | 101 | ACK_FILTER_EGRESS="auto" # Write: "yes" | "no" | "auto" 102 | # Write "auto" or don't write anything, so that the script decide to use this parameter, depending on the bandwidth you wrote in "BANDWIDTH_DOWN" and "BANDWIDTH_UP". 103 | # If your up/down bandwidth is at least 1x15 asymmetric, you can try the 'ack-filter' option. 104 | # It doesn't help on your downlink, nor on symmetric links. 105 | # 'ack-filter' only makes sense for "egress", so don't add 'ack-filter' keyword for the "ingress" side. 106 | # Don't recommend turning it on more symmetrical link bandwidths the effect is negligible at best. 107 | 108 | ## Don't write 'ms', just write the number. 109 | RTT="" # Write values between "1" and "1000" or don't write any value to use the default value (100). 110 | # This parameter defines the time window that your shaper will give the endpoints to react to shaping signals (drops or ECN). 111 | # The default "100ms" is pretty decent that works for many people, assuming their packets don't always need to cross long distances. 112 | # If you are based in Europe and access data in California I would assume 200-300ms to be a better value. 113 | # The general trade off is higher RTTs cause higher bandwidth utilization at the cost of increased latency under load (or rather longer settling times). 114 | # If your game servers are "40ms" RTT away, you should configure CAKE accordingly (this will lead to some bandwidth sacrifices for flows with a longer RTT). 115 | # Again setting RTT too high will increase the latency under load (aka the bufferbloat) while increasing bandwidth utilization. 116 | # You should measure the RTT for CAKE while your network is not loaded. 117 | # Use ping to measure the Round Trip Time (RTT) on servers you normally connect. 118 | # Example: ping -c 20 openwrt.org (Linux) 119 | # Example: ping -n 20 openwrt.org (Windows) 120 | 121 | EXTRA_PARAMETERS_INGRESS="" # Add any custom parameters separated by spaces. 122 | EXTRA_PARAMETERS_EGRESS="" # Add any custom parameters separated by spaces. 123 | # These will be appended to the end of the CAKE options and take priority over the options above. 124 | # There is no validation done on these options. Use carefully! 125 | # Look: https://man7.org/linux/man-pages/man8/tc-cake.8.html 126 | 127 | 128 | ###################################################################################################################### 129 | 130 | 131 | ### Rules settings ### 132 | 133 | 134 | ## Default chain for the rules 135 | CHAIN="FORWARD" # Write: "FORWARD" | "POSTROUTING" 136 | 137 | 138 | ## DSCP values for the rules 139 | DSCP_ICMP="CS0" # Change the DSCP value for ICMP (aka ping) to whatever you want. 140 | DSCP_GAMING="CS4" # You can test changing the DSCP value for games from "CS4" to "EF" or whatever you want. 141 | 142 | 143 | ## Use known rules [OPTIONAL] 144 | BROADCAST_VIDEO="yes" # Write: "yes" | "no" (Known 'Live Streaming' ports to CS3 like YouTube Live, Twitch, Vimeo and LinkedIn Live) 145 | GAMING="yes" # Write: "yes" | "no" (Known 'Game' ports and 'Game consoles' ports to CS4 like Xbox, PlayStation, Call of Duty, FIFA, Minecraft and Supercell Games) 146 | GAME_STREAMING="yes" # Write: "yes" | "no" (Known 'Game Streaming' ports to AF42 like NVIDIA GeForce NOW) 147 | MULTIMEDIA_CONFERENCING="yes" # Write: "yes" | "no" (Known 'Video conferencing' ports to AF41 like Zoom, Microsoft Teams, Skype, FaceTime, GoToMeeting, Webex Meeting, Jitsi Meet, Google Meet and TeamViewer) 148 | TELEPHONY="yes" # Write: "yes" | "no" (Known 'VoIP' and 'VoWiFi' ports to EF) 149 | 150 | # These 4 known port rules are optional. 151 | # Only use these rules if you need to prioritize the "specified" traffic 152 | # or you can stop using these rules without problems. 153 | 154 | 155 | ############################################################ 156 | 157 | 158 | ### Ports settings ### 159 | 160 | ## Don't add ports "80", "443", "8080" and "1935" below, because there are already rules for these ports. 161 | ## You can delete the ports below, because are just examples. 162 | 163 | 164 | ## Game ports (The script already has rules to prioritize "non-bulk" unmarked traffic like gaming and VoIP, which means that adding game ports is optional) 165 | TCP_SRC_GAME_PORTS="" 166 | TCP_DST_GAME_PORTS="" 167 | 168 | UDP_SRC_GAME_PORTS="" 169 | UDP_DST_GAME_PORTS="" 170 | ## "SRC" = Source port | "DST" = Destination port 171 | # Define a list of TCP and UDP ports used by games. 172 | # Use a comma to separate the values or ranges A-B as shown. 173 | 174 | 175 | ## Bulk ports 176 | TCP_SRC_BULK_PORTS="6881-6887, 51413" 177 | TCP_DST_BULK_PORTS="6881-6887, 51413" 178 | 179 | UDP_SRC_BULK_PORTS="6881-6887, 51413" 180 | UDP_DST_BULK_PORTS="6881-6887, 51413" 181 | ## "SRC" = Source port | "DST" = Destination port 182 | # Define a list of TCP and UDP ports used for 'bulk traffic' such as "BitTorrent". 183 | # Set your "BitTorrent" client to use a known port and include it here. 184 | # Use a comma to separate the values or ranges A-B as shown. 185 | 186 | 187 | ## Other ports [OPTIONAL] 188 | DSCP_OTHER_PORTS="CS0" # Change this DSCP value to whatever you want. 189 | 190 | TCP_SRC_OTHER_PORTS="" 191 | TCP_DST_OTHER_PORTS="" 192 | 193 | UDP_SRC_OTHER_PORTS="" 194 | UDP_DST_OTHER_PORTS="" 195 | ## "SRC" = Source port | "DST" = Destination port 196 | # Define a list of TCP and UDP ports to mark wherever you want. 197 | # Use a comma to separate the values or ranges A-B as shown. 198 | 199 | 200 | ############################################################ 201 | 202 | 203 | ### IP address settings ### 204 | 205 | ## To add static IP addresses in OpenWrt go to "Network -> DHCP and DNS -> Static Leases -> Click on 'Add'". 206 | ## You can delete the IP addresses below, because are just examples. 207 | 208 | 209 | ## Game consoles (Static IP) 210 | IPV4_GAME_CONSOLES_STATIC_IP="192.168.1.15, 192.168.1.20-192.168.1.25" 211 | # Define a list of IPv4 addresses that will cover all ports (except ports 80, 443, 8080, Live Streaming and BitTorrent). 212 | # Write a single IPv4 address or ranges of IPv4 addresses A-B and use a comma to separate them as shown. 213 | # The IPv4 address ranges "192.168.1.20-192.168.1.25" will cover IPv4 addresses from '192.168.1.20' to '192.168.1.25' 214 | 215 | 216 | IPV6_GAME_CONSOLES_STATIC_IP="IPv6::15, IPv6::20-IPv6::25" 217 | # Write the IPv6 address or simply write "IPv6::" to automatically add the IPv6 address of your router 218 | # and just change the number "15" (or IP address ranges '20' and '25') to the last number of the static IPv4 of your console. 219 | # To add an IPv6 address, simply change the number after the double colon "::" for the last number of your static IPv4 address. 220 | # The last number "::15" is the static IPv4 address of '192.168.x.15' 221 | # The IPv6 address ranges "::20-::25" will cover static IPv4 addresses from '192.168.x.20' to '192.168.x.25' 222 | 223 | ## TorrentBox (Static IP) 224 | IPV4_TORRENTBOX_STATIC_IP="192.168.1.10" 225 | # Define a list of IPv4 addresses to mark 'all traffic' as bulk. 226 | # Write a single IPv4 address or ranges of IPv4 addresses A-B and use a comma to separate them as shown. 227 | 228 | IPV6_TORRENTBOX_STATIC_IP="IPv6::10" 229 | # Write the IPv6 address or simply write "IPv6::" to automatically add the IPv6 address of your router 230 | # and just change the number "10" to the last number of the static IPv4. 231 | # To add an IPv6 address, simply change the number after the double colon "::" for the last number of your static IPv4 address. 232 | # The last number "::10" is the static IPv4 address of '192.168.x.10' 233 | 234 | 235 | ## Other static IP addresses [OPTIONAL] 236 | DSCP_OTHER_STATIC_IP="CS0" # Change this DSCP value to whatever you want. 237 | 238 | IPV4_OTHER_STATIC_IP="" 239 | IPV6_OTHER_STATIC_IP="" 240 | # Define a list of IP addresses to mark 'all traffic' wherever you want. 241 | # Write a single IPv4 and IPv6 address or ranges of IP addresses A-B and use a comma to separate them as shown. 242 | 243 | 244 | ###################################################################################################################### 245 | 246 | 247 | ### Change default OpenWrt settings ### 248 | 249 | DEFAULT_QDISC="fq_codel" # Write: "fq_codel" | "cake" 250 | # "fq_codel" Great all around qdisc. (Default in OpenWrt) 251 | # "cake" Great for WAN links, but computationally expensive with little advantages over 'fq_codel' for LAN links. 252 | 253 | 254 | TCP_CONGESTION_CONTROL="cubic" # Write: "cubic" | "bbr" 255 | # "cubic" The default algorithm for most Linux platforms. (Default in OpenWrt) 256 | # "bbr" The algorithm that was developed by Google and is since used on YouTube, maybe this can improve network response. 257 | 258 | 259 | ECN="2" # Write values between "0" and "2" 260 | # "0" Disable ECN. Neither initiate nor accept ECN. 261 | # "1" Enable ECN. When requested by incoming connections and also request ECN on outgoing connection attempts. 262 | # "2" Enable ECN. When requested by incoming connections, but do not request ECN on outgoing connections. (Default in OpenWrt) 263 | # Read: https://www.bufferbloat.net/projects/cerowrt/wiki/Enable_ECN/ 264 | 265 | 266 | ############################################################ 267 | 268 | 269 | ### irqbalance and Packet Steering ### 270 | 271 | IRQBALANCE="no" # Write: "yes" | "no" 272 | ## If you enable or disable it, you need to "reboot" the router for it to take effect. 273 | # Help balance the cpu load generated by interrupts across all of a systems cpus and probably increase performance. 274 | # The purpose of irqbalance is to distribute hardware interrupts across processors/cores on a multiprocessor/multicore system in order to increase performance. 275 | 276 | 277 | PACKET_STEERING="no" # Write: "yes" | "no" 278 | ## If you enable or disable it, you need to "reboot" the router for it to take effect. 279 | # Enable packet steering across all CPUs. May help or hinder network speed. 280 | # It's another (further) approach of trying to equally distribute the load of (network-) packet processing over all available cores. 281 | # In theory this should also 'always' help, in practice it can be worse on some devices. 282 | # It enables some kind of steering that seems different than what irqbalance does. I'm guessing it sets some of the manual IRQ or TX/RX IRQ assignments. 283 | 284 | # Enabling packet-steering can go either way, it may improve your throughput or it can worsen your results. 285 | # This is hardware (and to come extent protocol-, as in PPPoE vs DHCP vs whatever) dependent, so you need to 286 | # test both and compare your speedtests (and CPU load, keep "htop" open over SSH) for both configuration settings. 287 | 288 | 289 | ###################################################################################################################### 290 | 291 | ######################### ######################### ######################### ######################### 292 | ### DO NOT EDIT BELOW ### ### DO NOT EDIT BELOW ### ### DO NOT EDIT BELOW ### ### DO NOT EDIT BELOW ### 293 | ### DO NOT EDIT BELOW ### ### DO NOT EDIT BELOW ### ### DO NOT EDIT BELOW ### ### DO NOT EDIT BELOW ### 294 | ######################### ######################### ######################### ######################### 295 | 296 | ###################################################################################################################### 297 | 298 | ### Veth method ### 299 | 300 | ## Suppress warnings about missing public prefix 301 | uci -q get dhcp.odhcpd.loglevel | grep "3" > /dev/null 2>&1 || { 302 | uci set dhcp.odhcpd.loglevel="3" 303 | uci commit && reload_config 304 | } 305 | 306 | ## Add veth devices 307 | ip link show veth0 > /dev/null 2>&1 || { 308 | ip link add type veth 309 | sleep 10 310 | } 311 | ip link set veth0 up 312 | ip link set veth1 up 313 | ip link set veth1 promisc on 314 | ip link set veth1 master br-lan 315 | ip rule del priority 100 > /dev/null 2>&1 316 | ip route del table 100 > /dev/null 2>&1 317 | ip route add default dev veth0 table 100 318 | ip rule add iif $WAN priority 100 table 100 319 | ip -6 rule del priority 100 > /dev/null 2>&1 320 | ip -6 route del table 100 > /dev/null 2>&1 321 | ip -6 route add default dev veth0 table 100 322 | ip -6 rule add iif $WAN priority 100 table 100 323 | 324 | ############################################################ 325 | 326 | ### Change default OpenWrt settings ### 327 | 328 | ## Default qdisc 329 | case $DEFAULT_QDISC in 330 | fq) DEFAULT_QDISC="fq" ;; 331 | fq_codel) DEFAULT_QDISC="fq_codel" ;; 332 | cake) DEFAULT_QDISC="cake" ;; 333 | *) DEFAULT_QDISC="fq_codel" ;; 334 | esac 335 | 336 | ## TCP congestion control 337 | case $TCP_CONGESTION_CONTROL in 338 | reno) TCP_CONGESTION_CONTROL="reno" ;; 339 | cubic) TCP_CONGESTION_CONTROL="cubic" ;; 340 | bbr) TCP_CONGESTION_CONTROL="bbr" ;; 341 | hybla) TCP_CONGESTION_CONTROL="hybla" ;; 342 | scalable) TCP_CONGESTION_CONTROL="scalable" ;; 343 | *) TCP_CONGESTION_CONTROL="cubic" ;; 344 | esac 345 | 346 | ## ECN 347 | case $ECN in 348 | 0) ECN="0" ;; 349 | 1) ECN="1" ;; 350 | 2) ECN="2" ;; 351 | *) ECN="2" ;; 352 | esac 353 | 354 | ## Add the settings in "sysctl.conf" 355 | grep "tcp_ecn" /etc/sysctl.conf > /dev/null 2>&1 || sed -i "/#/a net.ipv4.tcp_ecn=$ECN" /etc/sysctl.conf > /dev/null 2>&1 356 | grep "tcp_congestion_control" /etc/sysctl.conf > /dev/null 2>&1 || sed -i "/#/a net.ipv4.tcp_congestion_control=$TCP_CONGESTION_CONTROL" /etc/sysctl.conf > /dev/null 2>&1 357 | grep "default_qdisc" /etc/sysctl.conf > /dev/null 2>&1 || sed -i "/#/a net.core.default_qdisc=$DEFAULT_QDISC" /etc/sysctl.conf > /dev/null 2>&1 358 | 359 | ## Change the values 360 | grep "default_qdisc" /etc/sysctl.conf | grep "$DEFAULT_QDISC" > /dev/null 2>&1 || sed -i "/default_qdisc/s/=.*/=$DEFAULT_QDISC/" /etc/sysctl.conf > /dev/null 2>&1 361 | grep "tcp_congestion_control" /etc/sysctl.conf | grep "$TCP_CONGESTION_CONTROL" > /dev/null 2>&1 || sed -i "/tcp_congestion_control/s/=.*/=$TCP_CONGESTION_CONTROL/" /etc/sysctl.conf > /dev/null 2>&1 362 | grep "tcp_ecn" /etc/sysctl.conf | grep "$ECN" > /dev/null 2>&1 || sed -i "/tcp_ecn/s/=.*/=$ECN/" /etc/sysctl.conf > /dev/null 2>&1 363 | 364 | ## Set the values 365 | sysctl -n net.core.default_qdisc | grep "$DEFAULT_QDISC" > /dev/null 2>&1 || sysctl -p > /dev/null 2>&1 366 | sysctl -n net.ipv4.tcp_congestion_control | grep "$TCP_CONGESTION_CONTROL" > /dev/null 2>&1 || sysctl -p > /dev/null 2>&1 367 | sysctl -n net.ipv4.tcp_ecn | grep "$ECN" > /dev/null 2>&1 || sysctl -p > /dev/null 2>&1 368 | 369 | ############################################################ 370 | 371 | ### irqbalance and Packet Steering ### 372 | 373 | ## To check if "irqbalance" is installed 374 | CHECK_IRQBALANCE="$(opkg list-installed | grep "irqbalance" | sed 's/ .*//')" > /dev/null 2>&1 375 | 376 | ## irqbalance 377 | if [ "irqbalance" = "$CHECK_IRQBALANCE" ] && [ "$IRQBALANCE" = "yes" ]; then 378 | # Enable 379 | uci -q get irqbalance.irqbalance.enabled | grep "1" > /dev/null 2>&1 || { 380 | uci -q set irqbalance.irqbalance.enabled="1" 381 | uci commit && reload_config 382 | } 383 | elif [ "irqbalance" = "$CHECK_IRQBALANCE" ] && [ "$IRQBALANCE" != "yes" ]; then 384 | # Disable 385 | uci -q get irqbalance.irqbalance.enabled | grep "0" > /dev/null 2>&1 || { 386 | uci -q set irqbalance.irqbalance.enabled="0" 387 | uci commit && reload_config 388 | } 389 | fi 390 | 391 | ## Packet Steering 392 | if [ "$PACKET_STEERING" = "yes" ]; then 393 | # Enable 394 | uci -q get network.globals.packet_steering | grep "1" > /dev/null 2>&1 || { 395 | uci set network.globals.packet_steering="1" 396 | uci commit && reload_config 397 | } 398 | elif [ "$PACKET_STEERING" != "yes" ]; then 399 | # Disable 400 | uci -q get network.globals.packet_steering > /dev/null 2>&1 && { 401 | uci del network.globals.packet_steering 402 | uci commit && reload_config 403 | } 404 | fi 405 | 406 | ############################################################ 407 | 408 | ### CAKE settings ### 409 | 410 | ## SHAPER parameters 411 | case $BANDWIDTH_DOWN in 412 | "") BANDWIDTH_DOWN_CAKE="" ;; 413 | *) BANDWIDTH_DOWN_CAKE="bandwidth ${BANDWIDTH_DOWN}mbit" ;; 414 | esac 415 | case $BANDWIDTH_UP in 416 | "") BANDWIDTH_UP_CAKE="" ;; 417 | *) BANDWIDTH_UP_CAKE="bandwidth ${BANDWIDTH_UP}mbit" ;; 418 | esac 419 | if [ "$AUTORATE_INGRESS" = "yes" ] && [ "$BANDWIDTH_DOWN" != "0" ] && [ "$BANDWIDTH_DOWN" != "" ]; then 420 | AUTORATE_INGRESS_CAKE="autorate-ingress" 421 | fi 422 | 423 | ## OVERHEAD, MPU and LINK COMPENSATION parameters 424 | case $OVERHEAD in 425 | "") OVERHEAD="" ;; 426 | *) OVERHEAD="overhead $OVERHEAD" ;; 427 | esac 428 | case $MPU in 429 | "") MPU="" ;; 430 | *) MPU="mpu $MPU" ;; 431 | esac 432 | case $LINK_COMPENSATION in 433 | atm) LINK_COMPENSATION="atm" ;; 434 | ptm) LINK_COMPENSATION="ptm" ;; 435 | noatm) LINK_COMPENSATION="noatm" ;; 436 | *) LINK_COMPENSATION="" ;; 437 | esac 438 | 439 | ## COMMON LINK PRESETS keywords 440 | case $COMMON_LINK_PRESETS in 441 | raw) COMMON_LINK_PRESETS="raw" ;; 442 | conservative) COMMON_LINK_PRESETS="conservative" ;; 443 | ethernet) COMMON_LINK_PRESETS="ethernet" ;; 444 | docsis) COMMON_LINK_PRESETS="docsis" ;; 445 | pppoe-ptm) COMMON_LINK_PRESETS="pppoe-ptm" ;; 446 | bridged-ptm) COMMON_LINK_PRESETS="bridged-ptm" ;; 447 | pppoa-vcmux) COMMON_LINK_PRESETS="pppoa-vcmux" ;; 448 | pppoa-llc) COMMON_LINK_PRESETS="pppoa-llc" ;; 449 | pppoe-vcmux) COMMON_LINK_PRESETS="pppoe-vcmux" ;; 450 | pppoe-llcsnap) COMMON_LINK_PRESETS="pppoe-llcsnap" ;; 451 | bridged-vcmux) COMMON_LINK_PRESETS="bridged-vcmux" ;; 452 | bridged-llcsnap) COMMON_LINK_PRESETS="bridged-llcsnap" ;; 453 | ipoa-vcmux) COMMON_LINK_PRESETS="ipoa-vcmux" ;; 454 | ipoa-llcsnap) COMMON_LINK_PRESETS="ipoa-llcsnap" ;; 455 | *) COMMON_LINK_PRESETS="" ;; 456 | esac 457 | case $ETHER_VLAN_KEYWORD in 458 | 1) ETHER_VLAN_KEYWORD="ether-vlan" ;; 459 | 2) ETHER_VLAN_KEYWORD="ether-vlan ether-vlan" ;; 460 | 3) ETHER_VLAN_KEYWORD="ether-vlan ether-vlan ether-vlan" ;; 461 | *) ETHER_VLAN_KEYWORD="" ;; 462 | esac 463 | 464 | ## PRIORITY QUEUE parameters 465 | case $PRIORITY_QUEUE_INGRESS in 466 | besteffort) PRIORITY_QUEUE_INGRESS="besteffort" ;; 467 | diffserv3) PRIORITY_QUEUE_INGRESS="diffserv3" ;; 468 | diffserv4) PRIORITY_QUEUE_INGRESS="diffserv4" ;; 469 | diffserv8) PRIORITY_QUEUE_INGRESS="diffserv8" ;; 470 | *) PRIORITY_QUEUE_INGRESS="" ;; 471 | esac 472 | case $PRIORITY_QUEUE_EGRESS in 473 | besteffort) PRIORITY_QUEUE_EGRESS="besteffort" ;; 474 | diffserv3) PRIORITY_QUEUE_EGRESS="diffserv3" ;; 475 | diffserv4) PRIORITY_QUEUE_EGRESS="diffserv4" ;; 476 | diffserv8) PRIORITY_QUEUE_EGRESS="diffserv8" ;; 477 | *) PRIORITY_QUEUE_EGRESS="" ;; 478 | esac 479 | 480 | ## HOST ISOLATION parameters 481 | if [ "$HOST_ISOLATION" = "yes" ]; then 482 | HOST_ISOLATION_INGRESS="dual-dsthost" 483 | HOST_ISOLATION_EGRESS="dual-srchost" 484 | elif [ "$HOST_ISOLATION" != "yes" ]; then 485 | HOST_ISOLATION_INGRESS="" 486 | HOST_ISOLATION_EGRESS="" 487 | fi 488 | 489 | ## NAT parameters 490 | case $NAT_INGRESS in 491 | yes) NAT_INGRESS="nat" ;; 492 | no) NAT_INGRESS="nonat" ;; 493 | *) NAT_INGRESS="" ;; 494 | esac 495 | case $NAT_EGRESS in 496 | yes) NAT_EGRESS="nat" ;; 497 | no) NAT_EGRESS="nonat" ;; 498 | *) NAT_EGRESS="" ;; 499 | esac 500 | 501 | ## WASH parameters 502 | case $WASH_INGRESS in 503 | yes) WASH_INGRESS="wash" ;; 504 | no) WASH_INGRESS="nowash" ;; 505 | *) WASH_INGRESS="" ;; 506 | esac 507 | case $WASH_EGRESS in 508 | yes) WASH_EGRESS="wash" ;; 509 | no) WASH_EGRESS="nowash" ;; 510 | *) WASH_EGRESS="" ;; 511 | esac 512 | 513 | ## INGRESS parameter 514 | case $INGRESS_MODE in 515 | yes) INGRESS_MODE="ingress" ;; 516 | *) INGRESS_MODE="" ;; 517 | esac 518 | 519 | ## ACK-FILTER parameters (AUTO) 520 | # Automatically use the "ack-filter" parameter if your up/down bandwidth is at least 1x15 asymmetric 521 | FORMULA="$(awk "BEGIN { a = $BANDWIDTH_DOWN; b = $BANDWIDTH_UP * 14; print (a > b) }")" > /dev/null 2>&1 522 | if [ "$FORMULA" -eq 1 ]; then 523 | case $ACK_FILTER_EGRESS in 524 | yes) ACK_FILTER_EGRESS="yes" ;; 525 | no) ACK_FILTER_EGRESS="no" ;; 526 | *) ACK_FILTER_EGRESS="yes" ;; 527 | esac 528 | fi 529 | 530 | ## ACK-FILTER parameters 531 | case $ACK_FILTER_EGRESS in 532 | yes) ACK_FILTER_EGRESS="ack-filter" ;; 533 | no) ACK_FILTER_EGRESS="no-ack-filter" ;; 534 | *) ACK_FILTER_EGRESS="" ;; 535 | esac 536 | 537 | ## RTT parameter 538 | case $RTT in 539 | "") RTT="" ;; 540 | *) RTT="rtt ${RTT}ms" ;; 541 | esac 542 | 543 | ############################################################ 544 | 545 | ## Delete the old qdiscs created by the script 546 | tc qdisc del dev veth0 root > /dev/null 2>&1 547 | tc qdisc del dev $WAN root > /dev/null 2>&1 548 | 549 | ############################################################ 550 | 551 | ### CAKE qdiscs ### 552 | 553 | ## Inbound / Ingress 554 | if [ "$BANDWIDTH_DOWN" != "" ]; then 555 | tc qdisc add dev veth0 root cake $BANDWIDTH_DOWN_CAKE $AUTORATE_INGRESS_CAKE $PRIORITY_QUEUE_INGRESS $HOST_ISOLATION_INGRESS $NAT_INGRESS $WASH_INGRESS $INGRESS_MODE $RTT $COMMON_LINK_PRESETS $ETHER_VLAN_KEYWORD $LINK_COMPENSATION $OVERHEAD $MPU $EXTRA_PARAMETERS_INGRESS 556 | fi 557 | 558 | ## Outbound / Egress 559 | if [ "$BANDWIDTH_UP" != "" ]; then 560 | tc qdisc add dev $WAN root cake $BANDWIDTH_UP_CAKE $PRIORITY_QUEUE_EGRESS $HOST_ISOLATION_EGRESS $NAT_EGRESS $WASH_EGRESS $ACK_FILTER_EGRESS $RTT $COMMON_LINK_PRESETS $ETHER_VLAN_KEYWORD $LINK_COMPENSATION $OVERHEAD $MPU $EXTRA_PARAMETERS_EGRESS 561 | fi 562 | 563 | ###################################################################################################################### 564 | 565 | ### Init Script ### 566 | 567 | ## Check if the file does not exist 568 | if [ ! -f "/etc/init.d/cake" ]; then 569 | cat << "INITSCRIPT" > /etc/init.d/cake 570 | #!/bin/sh /etc/rc.common 571 | 572 | USE_PROCD=1 573 | 574 | START=99 575 | STOP=99 576 | 577 | service_triggers() { 578 | procd_add_reload_trigger "network" 579 | } 580 | 581 | start_service() { 582 | /etc/init.d/cake enabled || exit 0 583 | echo start 584 | procd_open_instance 585 | procd_set_param command /bin/sh "/root/cake.sh" 586 | procd_set_param stdout 1 587 | procd_set_param stderr 1 588 | procd_close_instance 589 | } 590 | 591 | restart() { 592 | /etc/init.d/cake enabled || exit 0 593 | echo restart 594 | /root/cake.sh 595 | } 596 | 597 | stop_service() { 598 | echo stop 599 | ############################################################ 600 | 601 | ### Interface ### 602 | WAN="$(sed '/WAN=/!d; /sed/d; s/WAN="//; s/".*//' /root/cake.sh)" 603 | 604 | ############################################################ 605 | 606 | ## Delete the old qdiscs created by the script 607 | tc qdisc del dev veth0 root > /dev/null 2>&1 608 | tc qdisc del dev $WAN root > /dev/null 2>&1 609 | 610 | ############################################################ 611 | 612 | ## Delete veth devices 613 | ip link show veth0 > /dev/null 2>&1 && { 614 | ip link set veth1 nomaster 615 | ip link set veth1 promisc off 616 | ip link set veth1 down 617 | ip link set veth0 down 618 | ip link del veth0 619 | ip rule del priority 100 > /dev/null 2>&1 620 | ip -6 rule del priority 100 > /dev/null 2>&1 621 | } 622 | 623 | ############################################################ 624 | 625 | ## Restore default OpenWrt settings 626 | sysctl -w net.core.default_qdisc=fq_codel > /dev/null 2>&1 627 | sysctl -w net.ipv4.tcp_congestion_control=cubic > /dev/null 2>&1 628 | sysctl -w net.ipv4.tcp_ecn=2 > /dev/null 2>&1 629 | 630 | ############################################################ 631 | 632 | ## Flush all rules from the chains 633 | nft flush chain inet fw4 dscp_marking_ports_ipv4 > /dev/null 2>&1 634 | nft flush chain inet fw4 dscp_marking_ports_ipv6 > /dev/null 2>&1 635 | nft flush chain inet fw4 dscp_marking_ip_addresses_ipv4 > /dev/null 2>&1 636 | nft flush chain inet fw4 dscp_marking_ip_addresses_ipv6 > /dev/null 2>&1 637 | 638 | ## Delete the rule from the chains 639 | nft delete rule inet fw4 pre_mangle_forward handle "$(nft -a list ruleset | grep "Wash all ISP DSCP marks to CS1 (IPv4)" | sed 's/.* //')" > /dev/null 2>&1 640 | nft delete rule inet fw4 pre_mangle_forward handle "$(nft -a list ruleset | grep "Wash all ISP DSCP marks to CS1 (IPv6)" | sed 's/.* //')" > /dev/null 2>&1 641 | nft delete rule inet fw4 pre_mangle_forward handle "$(nft -a list ruleset | grep "DSCP marking rules for ports (IPv4)" | sed 's/.* //')" > /dev/null 2>&1 642 | nft delete rule inet fw4 pre_mangle_forward handle "$(nft -a list ruleset | grep "DSCP marking rules for ports (IPv6)" | sed 's/.* //')" > /dev/null 2>&1 643 | nft delete rule inet fw4 pre_mangle_forward handle "$(nft -a list ruleset | grep "DSCP marking rules for IP addresses (IPv4)" | sed 's/.* //')" > /dev/null 2>&1 644 | nft delete rule inet fw4 pre_mangle_forward handle "$(nft -a list ruleset | grep "DSCP marking rules for IP addresses (IPv6)" | sed 's/.* //')" > /dev/null 2>&1 645 | nft delete rule inet fw4 pre_mangle_postrouting handle "$(nft -a list ruleset | grep "DSCP marking rules for ports (IPv4)" | sed 's/.* //')" > /dev/null 2>&1 646 | nft delete rule inet fw4 pre_mangle_postrouting handle "$(nft -a list ruleset | grep "DSCP marking rules for ports (IPv6)" | sed 's/.* //')" > /dev/null 2>&1 647 | nft delete rule inet fw4 pre_mangle_postrouting handle "$(nft -a list ruleset | grep "DSCP marking rules for IP addresses (IPv4)" | sed 's/.* //')" > /dev/null 2>&1 648 | nft delete rule inet fw4 pre_mangle_postrouting handle "$(nft -a list ruleset | grep "DSCP marking rules for IP addresses (IPv6)" | sed 's/.* //')" > /dev/null 2>&1 649 | 650 | ## Delete the chains 651 | nft delete chain inet fw4 pre_mangle_forward > /dev/null 2>&1 652 | nft delete chain inet fw4 pre_mangle_postrouting > /dev/null 2>&1 653 | nft delete chain inet fw4 dscp_marking_ports_ipv4 > /dev/null 2>&1 654 | nft delete chain inet fw4 dscp_marking_ports_ipv6 > /dev/null 2>&1 655 | nft delete chain inet fw4 dscp_marking_ip_addresses_ipv4 > /dev/null 2>&1 656 | nft delete chain inet fw4 dscp_marking_ip_addresses_ipv6 > /dev/null 2>&1 657 | 658 | ############################################################ 659 | exit 0 660 | } 661 | 662 | reload_service() { 663 | start 664 | } 665 | INITSCRIPT 666 | chmod 755 /etc/init.d/cake > /dev/null 2>&1 667 | /etc/init.d/cake enable > /dev/null 2>&1 668 | fi 669 | 670 | ############################################################ 671 | 672 | ### Hotplug ### 673 | 674 | ## Check if the file does not exist 675 | if [ ! -f "/etc/hotplug.d/iface/99-cake" ]; then 676 | cat << "HOTPLUG" > /etc/hotplug.d/iface/99-cake 677 | #!/bin/sh 678 | 679 | [ "$ACTION" = ifup ] || exit 0 680 | [ "$INTERFACE" = wan ] || [ "$INTERFACE" = lan ] || exit 0 681 | 682 | # Ensure that the script is executable by Owner 683 | if [ ! -x "/root/cake.sh" ] || [ ! -x "/etc/init.d/cake" ]; then 684 | chmod 755 /root/cake.sh 685 | chmod 755 /etc/init.d/cake 686 | fi 687 | 688 | # Check if the init script is enabled to reload the script 689 | /etc/init.d/cake enabled || exit 0 690 | 691 | # Reloading the script 692 | logger -t cake "Reloading cake.sh due to $ACTION of $INTERFACE ($DEVICE)" 693 | sleep 10 && /etc/init.d/cake restart 694 | HOTPLUG 695 | fi 696 | 697 | ###################################################################################################################### 698 | echo "############################################################" 699 | echo " NOBODY ELSE CAN SAVE YOU" 700 | echo " TRUST JESUS TODAY!" 701 | echo "############################################################" 702 | echo "" 703 | echo "As it is written: 'There is none righteous, no, not one'. Romans 3:10" 704 | echo "For all have sinned and come short of the glory of God. Romans 3:23" 705 | echo "" 706 | echo "Therefore, as by one man sin entered into the world, and death by sin, so death passed onto all men, for all have sinned. Romans 5:12" 707 | echo "For the wages of sin is death, but the gift of God is eternal life through Jesus Christ our Lord. Romans 6:23" 708 | echo "" 709 | echo "But God commendeth His love toward us in that, while we were yet sinners, Christ died for us. Romans 5:8" 710 | echo "For 'whosoever shall call upon the name of the Lord shall be saved'. Romans 10:13" 711 | echo "" 712 | echo "Jesus said, 'I am the Way, the Truth, and the Life; no man cometh unto the Father, but by Me.' John 14:6" 713 | echo "" 714 | echo "Behold, I stand at the door and knock. If any man hear My voice and open the door, I will come in to him, and will sup with him, and he with Me. Revelation 3:20" 715 | echo "That if thou shalt confess with thy mouth the Lord Jesus, and shalt believe in thine heart that God hath raised Him from the dead, thou shalt be saved. Romans 10:9" 716 | echo "" 717 | echo "WHAT TO PRAY" 718 | echo "============" 719 | echo "Dear God, I am a sinner and need forgiveness." 720 | echo "I believe that Jesus Christ shed His 'precious blood' and died for my sin." 721 | echo "I am willing to turn from sin." 722 | echo "I now invite Jesus Christ to come into my heart as my personal Savior. AMEN!" 723 | echo "" 724 | echo "The Lord Jesus is coming for His Church!" 725 | echo "****************************************" 726 | echo "Do not waste your time, repent of your sins and accept Jesus Christ as your Lord and Savior and you and your family will be saved." 727 | echo "" 728 | ###################################################################################################################### 729 | 730 | ### Rules settings ### 731 | 732 | ## Default chain for the rules 733 | case $CHAIN in 734 | FORWARD) CHAIN="FORWARD" ;; 735 | POSTROUTING) CHAIN="POSTROUTING" ;; 736 | *) CHAIN="FORWARD" ;; 737 | esac 738 | 739 | ## DSCP value for "ICMP" (aka ping) 740 | case $DSCP_ICMP in 741 | "") DSCP_ICMP="cs0" ;; 742 | *) DSCP_ICMP="$(printf "%s\n" "$DSCP_ICMP" | awk '{print tolower($0)}')" > /dev/null 2>&1 ;; 743 | esac 744 | 745 | ## DSCP value for "gaming" 746 | case $DSCP_GAMING in 747 | "") DSCP_GAMING="cs4" ;; 748 | *) DSCP_GAMING="$(printf "%s\n" "$DSCP_GAMING" | awk '{print tolower($0)}')" > /dev/null 2>&1 ;; 749 | esac 750 | 751 | ## DSCP value for "other ports" 752 | case $DSCP_OTHER_PORTS in 753 | "") DSCP_OTHER_PORTS="cs0" ;; 754 | *) DSCP_OTHER_PORTS="$(printf "%s\n" "$DSCP_OTHER_PORTS" | awk '{print tolower($0)}')" > /dev/null 2>&1 ;; 755 | esac 756 | 757 | ## DSCP value for "other static IP addresses" 758 | case $DSCP_OTHER_STATIC_IP in 759 | "") DSCP_OTHER_STATIC_IP="cs0" ;; 760 | *) DSCP_OTHER_STATIC_IP="$(printf "%s\n" "$DSCP_OTHER_STATIC_IP" | awk '{print tolower($0)}')" > /dev/null 2>&1 ;; 761 | esac 762 | 763 | ## Known rules 764 | case $BROADCAST_VIDEO in 765 | yes) BROADCAST_VIDEO="yes" ;; 766 | *) BROADCAST_VIDEO="no" ;; 767 | esac 768 | case $GAMING in 769 | yes) GAMING="yes" ;; 770 | *) GAMING="no" ;; 771 | esac 772 | case $GAME_STREAMING in 773 | yes) GAME_STREAMING="yes" ;; 774 | *) GAME_STREAMING="no" ;; 775 | esac 776 | case $MULTIMEDIA_CONFERENCING in 777 | yes) MULTIMEDIA_CONFERENCING="yes" ;; 778 | *) MULTIMEDIA_CONFERENCING="no" ;; 779 | esac 780 | case $TELEPHONY in 781 | yes) TELEPHONY="yes" ;; 782 | *) TELEPHONY="no" ;; 783 | esac 784 | 785 | ## Comments for the rules 786 | DSCP_ICMP_COMMENT="$(printf "%s\n" "$DSCP_ICMP" | awk '{print toupper($0)}')" > /dev/null 2>&1 787 | DSCP_GAMING_COMMENT="$(printf "%s\n" "$DSCP_GAMING" | awk '{print toupper($0)}')" > /dev/null 2>&1 788 | DSCP_OTHER_PORTS_COMMENT="$(printf "%s\n" "$DSCP_OTHER_PORTS" | awk '{print toupper($0)}')" > /dev/null 2>&1 789 | DSCP_OTHER_STATIC_IP_COMMENT="$(printf "%s\n" "$DSCP_OTHER_STATIC_IP" | awk '{print toupper($0)}')" > /dev/null 2>&1 790 | 791 | ## Automatically add the IPv6 address 792 | IPV6_ADDRESS="$(printf "%.16s\n" "$(uci -q get network.globals.ula_prefix)")" > /dev/null 2>&1 793 | IPV6_GAME_CONSOLES_STATIC_IP="$(printf "%s\n" "$IPV6_GAME_CONSOLES_STATIC_IP" | sed "s/IPv6::/$IPV6_ADDRESS/g")" > /dev/null 2>&1 794 | IPV6_TORRENTBOX_STATIC_IP="$(printf "%s\n" "$IPV6_TORRENTBOX_STATIC_IP" | sed "s/IPv6::/$IPV6_ADDRESS/g")" > /dev/null 2>&1 795 | IPV6_OTHER_STATIC_IP="$(printf "%s\n" "$IPV6_OTHER_STATIC_IP" | sed "s/IPv6::/$IPV6_ADDRESS/g")" > /dev/null 2>&1 796 | 797 | ## To check if there is a difference between the settings and the rules 798 | if [ "$CHAIN" = "FORWARD" ]; then 799 | CHECK_CHAIN="$(grep "jump" /etc/nftables.d/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 && echo "FORWARD")" > /dev/null 2>&1 800 | elif [ "$CHAIN" != "FORWARD" ]; then 801 | CHECK_CHAIN="$(grep "jump" /etc/nftables.d/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 && echo "POSTROUTING")" > /dev/null 2>&1 802 | fi 803 | if [ "$BROADCAST_VIDEO" = "yes" ]; then 804 | CHECK_BROADCAST_VIDEO="$(grep "Live Streaming ports to" /etc/nftables.d/00-rules.nft | grep " " > /dev/null 2>&1 && echo "yes")" > /dev/null 2>&1 805 | elif [ "$BROADCAST_VIDEO" != "yes" ]; then 806 | CHECK_BROADCAST_VIDEO="$(grep "Live Streaming ports to" /etc/nftables.d/00-rules.nft | grep "# " > /dev/null 2>&1 && echo "no")" > /dev/null 2>&1 807 | fi 808 | if [ "$GAMING" = "yes" ]; then 809 | CHECK_GAMING="$(grep "Known game ports" /etc/nftables.d/00-rules.nft | grep " " > /dev/null 2>&1 && echo "yes")" > /dev/null 2>&1 810 | elif [ "$GAMING" != "yes" ]; then 811 | CHECK_GAMING="$(grep "Known game ports" /etc/nftables.d/00-rules.nft | grep "# " > /dev/null 2>&1 && echo "no")" > /dev/null 2>&1 812 | fi 813 | if [ "$GAME_STREAMING" = "yes" ]; then 814 | CHECK_GAME_STREAMING="$(grep "Known game streaming" /etc/nftables.d/00-rules.nft | grep " " > /dev/null 2>&1 && echo "yes")" > /dev/null 2>&1 815 | elif [ "$GAME_STREAMING" != "yes" ]; then 816 | CHECK_GAME_STREAMING="$(grep "Known game streaming" /etc/nftables.d/00-rules.nft | grep "# " > /dev/null 2>&1 && echo "no")" > /dev/null 2>&1 817 | fi 818 | if [ "$MULTIMEDIA_CONFERENCING" = "yes" ]; then 819 | CHECK_MULTIMEDIA_CONFERENCING="$(grep "Known video conferencing ports to" /etc/nftables.d/00-rules.nft | grep " " > /dev/null 2>&1 && echo "yes")" > /dev/null 2>&1 820 | elif [ "$MULTIMEDIA_CONFERENCING" != "yes" ]; then 821 | CHECK_MULTIMEDIA_CONFERENCING="$(grep "Known video conferencing ports to" /etc/nftables.d/00-rules.nft | grep "# " > /dev/null 2>&1 && echo "no")" > /dev/null 2>&1 822 | fi 823 | if [ "$TELEPHONY" = "yes" ]; then 824 | CHECK_TELEPHONY="$(grep "Known VoIP and VoWiFi ports to" /etc/nftables.d/00-rules.nft | grep " " > /dev/null 2>&1 && echo "yes")" > /dev/null 2>&1 825 | elif [ "$TELEPHONY" != "yes" ]; then 826 | CHECK_TELEPHONY="$(grep "Known VoIP and VoWiFi ports to" /etc/nftables.d/00-rules.nft | grep "# " > /dev/null 2>&1 && echo "no")" > /dev/null 2>&1 827 | fi 828 | CHECK_DSCP_ICMP="$(sed '/ICMP (aka ping) to/!d; s/.*set //; s/ comment.*//' /etc/nftables.d/00-rules.nft)" > /dev/null 2>&1 829 | CHECK_DSCP_GAMING="$(sed '/Game ports to/!d; s/.*set //; s/ comment.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 830 | CHECK_TCP_SRC_GAME_PORTS="$(sed '/Game ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 831 | CHECK_TCP_DST_GAME_PORTS="$(sed '/Game ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '2q;d')" > /dev/null 2>&1 832 | CHECK_UDP_SRC_GAME_PORTS="$(sed '/Game ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '3q;d')" > /dev/null 2>&1 833 | CHECK_UDP_DST_GAME_PORTS="$(sed '/Game ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '4q;d')" > /dev/null 2>&1 834 | CHECK_TCP_SRC_BULK_PORTS="$(sed '/Bulk ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 835 | CHECK_TCP_DST_BULK_PORTS="$(sed '/Bulk ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '2q;d')" > /dev/null 2>&1 836 | CHECK_UDP_SRC_BULK_PORTS="$(sed '/Bulk ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '3q;d')" > /dev/null 2>&1 837 | CHECK_UDP_DST_BULK_PORTS="$(sed '/Bulk ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '4q;d')" > /dev/null 2>&1 838 | CHECK_DSCP_OTHER_PORTS="$(sed '/Other ports to/!d; s/.*set //; s/ comment.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 839 | CHECK_TCP_SRC_OTHER_PORTS="$(sed '/Other ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 840 | CHECK_TCP_DST_OTHER_PORTS="$(sed '/Other ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '2q;d')" > /dev/null 2>&1 841 | CHECK_UDP_SRC_OTHER_PORTS="$(sed '/Other ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '3q;d')" > /dev/null 2>&1 842 | CHECK_UDP_DST_OTHER_PORTS="$(sed '/Other ports to/!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '4q;d')" > /dev/null 2>&1 843 | CHECK_IPV4_GAME_CONSOLES_STATIC_IP="$(sed '/Game consoles to /!d; s/.*daddr { //; s/ } meta.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 844 | CHECK_IPV6_GAME_CONSOLES_STATIC_IP="$(sed '/Game consoles to /!d; s/.*daddr { //; s/ } meta.*//' /etc/nftables.d/00-rules.nft | sed '3q;d')" > /dev/null 2>&1 845 | CHECK_IPV4_TORRENTBOX_STATIC_IP="$(sed '/TorrentBox to /!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 846 | CHECK_IPV6_TORRENTBOX_STATIC_IP="$(sed '/TorrentBox to /!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '3q;d')" > /dev/null 2>&1 847 | CHECK_DSCP_OTHER_STATIC_IP="$(sed '/Other static IP addresses to/!d; s/.*set //; s/ comment.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 848 | CHECK_IPV4_OTHER_STATIC_IP="$(sed '/Other static IP addresses to /!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '1q;d')" > /dev/null 2>&1 849 | CHECK_IPV6_OTHER_STATIC_IP="$(sed '/Other static IP addresses to /!d; s/.*{ //; s/ }.*//' /etc/nftables.d/00-rules.nft | sed '3q;d')" > /dev/null 2>&1 850 | 851 | ############################################################ 852 | 853 | ### Rules ### 854 | 855 | if [ "$CHAIN" != "$CHECK_CHAIN" ] || \ 856 | [ "$DSCP_ICMP" != "$CHECK_DSCP_ICMP" ] || \ 857 | [ "$DSCP_GAMING" != "$CHECK_DSCP_GAMING" ] || \ 858 | [ "$BROADCAST_VIDEO" != "$CHECK_BROADCAST_VIDEO" ] || \ 859 | [ "$GAMING" != "$CHECK_GAMING" ] || \ 860 | [ "$GAME_STREAMING" != "$CHECK_GAME_STREAMING" ] || \ 861 | [ "$MULTIMEDIA_CONFERENCING" != "$CHECK_MULTIMEDIA_CONFERENCING" ] || \ 862 | [ "$TELEPHONY" != "$CHECK_TELEPHONY" ] || \ 863 | [ "$TCP_SRC_GAME_PORTS" != "$CHECK_TCP_SRC_GAME_PORTS" ] || \ 864 | [ "$TCP_DST_GAME_PORTS" != "$CHECK_TCP_DST_GAME_PORTS" ] || \ 865 | [ "$UDP_SRC_GAME_PORTS" != "$CHECK_UDP_SRC_GAME_PORTS" ] || \ 866 | [ "$UDP_DST_GAME_PORTS" != "$CHECK_UDP_DST_GAME_PORTS" ] || \ 867 | [ "$TCP_SRC_BULK_PORTS" != "$CHECK_TCP_SRC_BULK_PORTS" ] || \ 868 | [ "$TCP_DST_BULK_PORTS" != "$CHECK_TCP_DST_BULK_PORTS" ] || \ 869 | [ "$UDP_SRC_BULK_PORTS" != "$CHECK_UDP_SRC_BULK_PORTS" ] || \ 870 | [ "$UDP_DST_BULK_PORTS" != "$CHECK_UDP_DST_BULK_PORTS" ] || \ 871 | [ "$DSCP_OTHER_PORTS" != "$CHECK_DSCP_OTHER_PORTS" ] || \ 872 | [ "$TCP_SRC_OTHER_PORTS" != "$CHECK_TCP_SRC_OTHER_PORTS" ] || \ 873 | [ "$TCP_DST_OTHER_PORTS" != "$CHECK_TCP_DST_OTHER_PORTS" ] || \ 874 | [ "$UDP_SRC_OTHER_PORTS" != "$CHECK_UDP_SRC_OTHER_PORTS" ] || \ 875 | [ "$UDP_DST_OTHER_PORTS" != "$CHECK_UDP_DST_OTHER_PORTS" ] || \ 876 | [ "$IPV4_GAME_CONSOLES_STATIC_IP" != "$CHECK_IPV4_GAME_CONSOLES_STATIC_IP" ] || \ 877 | [ "$IPV6_GAME_CONSOLES_STATIC_IP" != "$CHECK_IPV6_GAME_CONSOLES_STATIC_IP" ] || \ 878 | [ "$IPV4_TORRENTBOX_STATIC_IP" != "$CHECK_IPV4_TORRENTBOX_STATIC_IP" ] || \ 879 | [ "$IPV6_TORRENTBOX_STATIC_IP" != "$CHECK_IPV6_TORRENTBOX_STATIC_IP" ] || \ 880 | [ "$DSCP_OTHER_STATIC_IP" != "$CHECK_DSCP_OTHER_STATIC_IP" ] || \ 881 | [ "$IPV4_OTHER_STATIC_IP" != "$CHECK_IPV4_OTHER_STATIC_IP" ] || \ 882 | [ "$IPV6_OTHER_STATIC_IP" != "$CHECK_IPV6_OTHER_STATIC_IP" ]; then 883 | 884 | cat << RULES > /tmp/00-rules.nft 885 | 886 | 887 | ### DSCP marking rules ### 888 | 889 | 890 | chain pre_mangle_forward { 891 | type filter hook forward priority mangle -1; policy accept; 892 | 893 | ## Wash all ISP DSCP marks from ingress traffic and set these rules as the default for unmarked traffic 894 | meta nfproto ipv4 counter ip dscp set cs1 comment "Wash all ISP DSCP marks to CS1 (IPv4)" 895 | meta nfproto ipv6 counter ip6 dscp set cs1 comment "Wash all ISP DSCP marks to CS1 (IPv6)" 896 | 897 | ## Arrange ruleset 898 | meta nfproto ipv4 jump dscp_marking_ports_ipv4 comment "DSCP marking rules for ports (IPv4)" 899 | meta nfproto ipv6 jump dscp_marking_ports_ipv6 comment "DSCP marking rules for ports (IPv6)" 900 | meta nfproto ipv4 jump dscp_marking_ip_addresses_ipv4 comment "DSCP marking rules for IP addresses (IPv4)" 901 | meta nfproto ipv6 jump dscp_marking_ip_addresses_ipv6 comment "DSCP marking rules for IP addresses (IPv6)" 902 | 903 | } 904 | 905 | 906 | chain pre_mangle_postrouting { 907 | type filter hook postrouting priority mangle -1; policy accept; 908 | 909 | ## Arrange ruleset 910 | meta nfproto ipv4 jump dscp_marking_ports_ipv4 comment "DSCP marking rules for ports (IPv4)" 911 | meta nfproto ipv6 jump dscp_marking_ports_ipv6 comment "DSCP marking rules for ports (IPv6)" 912 | meta nfproto ipv4 jump dscp_marking_ip_addresses_ipv4 comment "DSCP marking rules for IP addresses (IPv4)" 913 | meta nfproto ipv6 jump dscp_marking_ip_addresses_ipv6 comment "DSCP marking rules for IP addresses (IPv6)" 914 | 915 | } 916 | 917 | 918 | chain dscp_marking_ports_ipv4 { 919 | 920 | ## Port rules (IPv4) ## 921 | 922 | # ICMP (aka ping) 923 | meta l4proto icmp counter ip dscp set $DSCP_ICMP comment "ICMP (aka ping) to $DSCP_ICMP_COMMENT" 924 | 925 | # SSH, NTP and DNS 926 | meta nfproto ipv4 tcp sport { 22, 53, 5353 } counter ip dscp set cs2 comment "SSH and DNS to CS2 (TCP)" 927 | meta nfproto ipv4 tcp dport { 22, 53, 5353 } counter ip dscp set cs2 comment "SSH and DNS to CS2 (TCP)" 928 | meta nfproto ipv4 udp sport { 123, 53, 5353 } counter ip dscp set cs2 comment "NTP and DNS to CS2 (UDP)" 929 | meta nfproto ipv4 udp dport { 123, 53, 5353 } counter ip dscp set cs2 comment "NTP and DNS to CS2 (UDP)" 930 | 931 | # DNS over TLS (DoT) 932 | meta nfproto ipv4 tcp sport 853 counter ip dscp set af41 comment "DNS over TLS to AF41 (TCP)" 933 | meta nfproto ipv4 tcp dport 853 counter ip dscp set af41 comment "DNS over TLS to AF41 (TCP)" 934 | meta nfproto ipv4 udp sport 853 counter ip dscp set af41 comment "DNS over TLS to AF41 (UDP)" 935 | meta nfproto ipv4 udp dport 853 counter ip dscp set af41 comment "DNS over TLS to AF41 (UDP)" 936 | 937 | # HTTP/HTTPS and QUIC 938 | meta nfproto ipv4 meta l4proto { tcp, udp } th sport { 80, 443 } counter ip dscp set cs0 comment "Ingress traffic to CS0 (TCP and UDP)" 939 | meta nfproto ipv4 meta l4proto { tcp, udp } th dport { 80, 443 } meta length 0-77 counter ip dscp set cs0 comment "Egress smaller packets (like ACKs, SYN) to CS0 (TCP and UDP) - Downloads in general agressively max out this class" 940 | meta nfproto ipv4 meta l4proto { tcp, udp } th dport { 80, 443 } meta length 77-1256 limit rate 200/second counter ip dscp set af41 comment "Prioritize egress light browsing (text/live chat/code?) and VoIP (these are the fallback ports) to AF41 (TCP and UDP)" 941 | meta nfproto ipv4 meta l4proto { tcp, udp } th dport { 80, 443 } meta length 77-1256 limit rate over 200/second counter ip dscp set cs0 comment "Deprioritize egress traffic of packet lengths between 77 and 1256 bytes that have more than 200 pps to CS0 (TCP and UDP)" 942 | 943 | # Live Streaming ports for YouTube Live, Twitch, Vimeo and LinkedIn Live 944 | meta nfproto ipv4 tcp sport { 1935-1936, 2396, 2935 } counter ip dscp set cs3 comment "Live Streaming ports to CS3 (TCP)" 945 | meta nfproto ipv4 tcp dport { 1935-1936, 2396, 2935 } counter ip dscp set cs3 comment "Live Streaming ports to CS3 (TCP)" 946 | 947 | # Xbox, PlayStation, Call of Duty, FIFA, Minecraft and Supercell Games 948 | meta nfproto ipv4 tcp sport { 3074, 3478-3480, 3075-3076, 3659, 25565, 9339 } counter ip dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (TCP)" 949 | meta nfproto ipv4 tcp dport { 3074, 3478-3480, 3075-3076, 3659, 25565, 9339 } counter ip dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (TCP)" 950 | meta nfproto ipv4 udp sport { 88, 3074, 3544, 3075-3079, 3658-3659, 19132-19133, 25565, 9339 } counter ip dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (UDP)" 951 | meta nfproto ipv4 udp dport { 88, 3074, 3544, 3075-3079, 3658-3659, 19132-19133, 25565, 9339 } counter ip dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (UDP)" 952 | 953 | # NVIDIA GeForce NOW 954 | meta nfproto ipv4 tcp sport 49006 counter ip dscp set af42 comment "Known game streaming ports to AF42 (TCP)" 955 | meta nfproto ipv4 tcp dport 49006 counter ip dscp set af42 comment "Known game streaming ports to AF42 (TCP)" 956 | meta nfproto ipv4 udp sport { 49003-49006 } counter ip dscp set af42 comment "Known game streaming ports to AF42 (UDP)" 957 | meta nfproto ipv4 udp dport { 49003-49006 } counter ip dscp set af42 comment "Known game streaming ports to AF42 (UDP)" 958 | 959 | # Zoom, Microsoft Teams, Skype, FaceTime, GoToMeeting, Webex Meeting, Jitsi Meet, Google Meet and TeamViewer 960 | meta nfproto ipv4 tcp sport { 8801-8802, 5004, 5349, 5938 } counter ip dscp set af41 comment "Known video conferencing ports to AF41 (TCP)" 961 | meta nfproto ipv4 tcp dport { 8801-8802, 5004, 5349, 5938 } counter ip dscp set af41 comment "Known video conferencing ports to AF41 (TCP)" 962 | meta nfproto ipv4 udp sport { 3478-3497, 8801-8810, 16384-16387, 16393-16402, 1853, 8200, 9000, 10000, 19302-19309, 5938 } counter ip dscp set af41 comment "Known video conferencing ports to AF41 (UDP)" 963 | meta nfproto ipv4 udp dport { 3478-3497, 8801-8810, 16384-16387, 16393-16402, 1853, 8200, 9000, 10000, 19302-19309, 5938 } counter ip dscp set af41 comment "Known video conferencing ports to AF41 (UDP)" 964 | 965 | # Voice over Internet Protocol (VoIP) and Voice over WiFi or WiFi Calling (VoWiFi) 966 | meta nfproto ipv4 tcp sport { 5060-5061 } counter ip dscp set ef comment "Known VoIP and VoWiFi ports to EF (TCP)" 967 | meta nfproto ipv4 tcp dport { 5060-5061 } counter ip dscp set ef comment "Known VoIP and VoWiFi ports to EF (TCP)" 968 | meta nfproto ipv4 udp sport { 5060-5061, 500, 4500 } counter ip dscp set ef comment "Known VoIP and VoWiFi ports to EF (UDP)" 969 | meta nfproto ipv4 udp dport { 5060-5061, 500, 4500 } counter ip dscp set ef comment "Known VoIP and VoWiFi ports to EF (UDP)" 970 | 971 | # Packet mark for Usenet, BitTorrent and "custom bulk ports" to be excluded 972 | meta nfproto ipv4 tcp sport { 119, 563, 6881-7000, 9000, 28221, 30301, 41952, 49160, 51413, $TCP_SRC_BULK_PORTS } ip dscp cs1 counter meta mark set 40 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (TCP)" 973 | meta nfproto ipv4 tcp dport { 119, 563, 6881-7000, 9000, 28221, 30301, 41952, 49160, 51413, $TCP_DST_BULK_PORTS } ip dscp cs1 counter meta mark set 41 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (TCP)" 974 | meta nfproto ipv4 udp sport { 6771, 6881-7000, 28221, 30301, 41952, 49160, 51413, $UDP_SRC_BULK_PORTS } ip dscp cs1 counter meta mark set 42 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (UDP)" 975 | meta nfproto ipv4 udp dport { 6771, 6881-7000, 28221, 30301, 41952, 49160, 51413, $UDP_DST_BULK_PORTS } ip dscp cs1 counter meta mark set 43 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (UDP)" 976 | 977 | # Unmarked TCP traffic 978 | meta nfproto ipv4 tcp sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } tcp dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 40, 41 } meta length 0-1256 limit rate over 200/second burst 100 packets ip dscp cs1 counter meta mark set 45 comment "Packet mark for unmarked TCP traffic of packet lengths between 0 and 1256 bytes that have more than 200 pps" 979 | meta nfproto ipv4 meta l4proto tcp numgen random mod 1000 < 5 meta mark 45 counter meta mark set 0 comment "0.5% probability of unmark a packet that go over 200 pps to be prioritized to $DSCP_GAMING_COMMENT (TCP)" 980 | meta nfproto ipv4 meta l4proto tcp meta length 0-77 ct direction reply meta mark 45 counter ip dscp set af41 comment "Prioritize ingress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 200 pps to AF41 (TCP)" 981 | meta nfproto ipv4 meta l4proto tcp meta length 0-77 ct direction original meta mark 45 counter ip dscp set cs0 comment "Prioritize egress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 200 pps to CS0 (TCP)" 982 | meta nfproto ipv4 meta l4proto tcp meta length > 77 meta mark 45 counter ip dscp set af41 comment "Prioritize unmarked traffic of packet lengths between 77 and 1256 bytes that have more than 200 pps to AF41 (TCP)" 983 | meta nfproto ipv4 tcp sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } tcp dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 40, 41, 45 } meta length 0-1256 ip dscp cs1 counter ip dscp set $DSCP_GAMING comment "Prioritize unmarked traffic of packet lengths between 0 and 1256 bytes that have less than 200 pps to $DSCP_GAMING_COMMENT (TCP)" 984 | 985 | # Unmarked UDP traffic (Some games also tend to use really tiny packets on upload side (same range as ACKs)) 986 | meta nfproto ipv4 udp sport != { 80, 443 } udp dport != { 80, 443 } meta mark != { 42, 43 } meta length 0-1256 limit rate over 250/second burst 100 packets ip dscp cs1 counter meta mark set 50 comment "Packet mark for unmarked UDP traffic of packet lengths between 0 and 1256 bytes that have more than 250 pps" 987 | meta nfproto ipv4 meta l4proto udp numgen random mod 1000 < 5 meta mark 50 counter meta mark set 0 comment "0.5% probability of unmark a packet that go over 250 pps to be prioritized to $DSCP_GAMING_COMMENT (UDP)" 988 | meta nfproto ipv4 meta l4proto udp meta length 0-77 ct direction reply meta mark 50 counter ip dscp set af41 comment "Prioritize ingress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 250 pps to AF41 (UDP)" 989 | meta nfproto ipv4 meta l4proto udp meta length 0-77 ct direction original meta mark 50 counter ip dscp set cs0 comment "Prioritize egress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 250 pps to CS0 (UDP)" 990 | meta nfproto ipv4 meta l4proto udp meta length > 77 meta mark 50 counter ip dscp set af41 comment "Prioritize unmarked traffic of packet lengths between 77 and 1256 bytes that have more than 250 pps to AF41 (UDP)" 991 | meta nfproto ipv4 udp sport != { 80, 443 } udp dport != { 80, 443 } meta mark != { 42, 43, 50 } meta length 0-1256 ip dscp cs1 counter ip dscp set $DSCP_GAMING comment "Prioritize unmarked traffic of packet lengths between 0 and 1256 bytes that have less than 250 pps to $DSCP_GAMING_COMMENT (UDP) - Gaming & VoIP" 992 | 993 | ## Custom port rules (IPv4) ## 994 | 995 | # Game ports - Used by games 996 | meta nfproto ipv4 tcp sport { $TCP_SRC_GAME_PORTS } counter ip dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (TCP)" 997 | meta nfproto ipv4 tcp dport { $TCP_DST_GAME_PORTS } counter ip dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (TCP)" 998 | meta nfproto ipv4 udp sport { $UDP_SRC_GAME_PORTS } counter ip dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (UDP)" 999 | meta nfproto ipv4 udp dport { $UDP_DST_GAME_PORTS } counter ip dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (UDP)" 1000 | 1001 | # Bulk ports - Used for 'bulk traffic' such as "BitTorrent" 1002 | meta nfproto ipv4 tcp sport { $TCP_SRC_BULK_PORTS } counter ip dscp set cs1 comment "Bulk ports to CS1 (TCP)" 1003 | meta nfproto ipv4 tcp dport { $TCP_DST_BULK_PORTS } counter ip dscp set cs1 comment "Bulk ports to CS1 (TCP)" 1004 | meta nfproto ipv4 udp sport { $UDP_SRC_BULK_PORTS } counter ip dscp set cs1 comment "Bulk ports to CS1 (UDP)" 1005 | meta nfproto ipv4 udp dport { $UDP_DST_BULK_PORTS } counter ip dscp set cs1 comment "Bulk ports to CS1 (UDP)" 1006 | 1007 | # Other ports [OPTIONAL] - Mark wherever you want 1008 | meta nfproto ipv4 tcp sport { $TCP_SRC_OTHER_PORTS } counter ip dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (TCP)" 1009 | meta nfproto ipv4 tcp dport { $TCP_DST_OTHER_PORTS } counter ip dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (TCP)" 1010 | meta nfproto ipv4 udp sport { $UDP_SRC_OTHER_PORTS } counter ip dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (UDP)" 1011 | meta nfproto ipv4 udp dport { $UDP_DST_OTHER_PORTS } counter ip dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (UDP)" 1012 | 1013 | } 1014 | 1015 | 1016 | chain dscp_marking_ports_ipv6 { 1017 | 1018 | ## Port rules (IPv6) ## 1019 | 1020 | # ICMPv6 (aka ping) 1021 | meta l4proto ipv6-icmp counter ip6 dscp set $DSCP_ICMP comment "ICMPv6 (aka ping) to $DSCP_ICMP_COMMENT" 1022 | 1023 | # SSH, NTP and DNS 1024 | meta nfproto ipv6 tcp sport { 22, 53, 5353 } counter ip6 dscp set cs2 comment "SSH and DNS to CS2 (TCP)" 1025 | meta nfproto ipv6 tcp dport { 22, 53, 5353 } counter ip6 dscp set cs2 comment "SSH and DNS to CS2 (TCP)" 1026 | meta nfproto ipv6 udp sport { 123, 53, 5353 } counter ip6 dscp set cs2 comment "NTP and DNS to CS2 (UDP)" 1027 | meta nfproto ipv6 udp dport { 123, 53, 5353 } counter ip6 dscp set cs2 comment "NTP and DNS to CS2 (UDP)" 1028 | 1029 | # DNS over TLS (DoT) 1030 | meta nfproto ipv6 tcp sport 853 counter ip6 dscp set af41 comment "DNS over TLS to AF41 (TCP)" 1031 | meta nfproto ipv6 tcp dport 853 counter ip6 dscp set af41 comment "DNS over TLS to AF41 (TCP)" 1032 | meta nfproto ipv6 udp sport 853 counter ip6 dscp set af41 comment "DNS over TLS to AF41 (UDP)" 1033 | meta nfproto ipv6 udp dport 853 counter ip6 dscp set af41 comment "DNS over TLS to AF41 (UDP)" 1034 | 1035 | # HTTP/HTTPS and QUIC 1036 | meta nfproto ipv6 meta l4proto { tcp, udp } th sport { 80, 443 } counter ip6 dscp set cs0 comment "Ingress traffic to CS0 (TCP and UDP)" 1037 | meta nfproto ipv6 meta l4proto { tcp, udp } th dport { 80, 443 } meta length 0-77 counter ip6 dscp set cs0 comment "Egress smaller packets (like ACKs, SYN) to CS0 (TCP and UDP) - Downloads in general agressively max out this class" 1038 | meta nfproto ipv6 meta l4proto { tcp, udp } th dport { 80, 443 } meta length 77-1256 limit rate 200/second counter ip6 dscp set af41 comment "Prioritize egress light browsing (text/live chat/code?) and VoIP (these are the fallback ports) to AF41 (TCP and UDP)" 1039 | meta nfproto ipv6 meta l4proto { tcp, udp } th dport { 80, 443 } meta length 77-1256 limit rate over 200/second counter ip6 dscp set cs0 comment "Deprioritize egress traffic of packet lengths between 77 and 1256 bytes that have more than 200 pps to CS0 (TCP and UDP)" 1040 | 1041 | # Live Streaming ports for YouTube Live, Twitch, Vimeo and LinkedIn Live 1042 | meta nfproto ipv6 tcp sport { 1935-1936, 2396, 2935 } counter ip6 dscp set cs3 comment "Live Streaming ports to CS3 (TCP)" 1043 | meta nfproto ipv6 tcp dport { 1935-1936, 2396, 2935 } counter ip6 dscp set cs3 comment "Live Streaming ports to CS3 (TCP)" 1044 | 1045 | # Xbox, PlayStation, Call of Duty, FIFA, Minecraft and Supercell Games 1046 | meta nfproto ipv6 tcp sport { 3074, 3478-3480, 3075-3076, 3659, 25565, 9339 } counter ip6 dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (TCP)" 1047 | meta nfproto ipv6 tcp dport { 3074, 3478-3480, 3075-3076, 3659, 25565, 9339 } counter ip6 dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (TCP)" 1048 | meta nfproto ipv6 udp sport { 88, 3074, 3544, 3075-3079, 3658-3659, 19132-19133, 25565, 9339 } counter ip6 dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (UDP)" 1049 | meta nfproto ipv6 udp dport { 88, 3074, 3544, 3075-3079, 3658-3659, 19132-19133, 25565, 9339 } counter ip6 dscp set $DSCP_GAMING comment "Known game ports and game consoles ports to $DSCP_GAMING_COMMENT (UDP)" 1050 | 1051 | # NVIDIA GeForce NOW 1052 | meta nfproto ipv6 tcp sport 49006 counter ip6 dscp set af42 comment "Known game streaming ports to AF42 (TCP)" 1053 | meta nfproto ipv6 tcp dport 49006 counter ip6 dscp set af42 comment "Known game streaming ports to AF42 (TCP)" 1054 | meta nfproto ipv6 udp sport { 49003-49006 } counter ip6 dscp set af42 comment "Known game streaming ports to AF42 (UDP)" 1055 | meta nfproto ipv6 udp dport { 49003-49006 } counter ip6 dscp set af42 comment "Known game streaming ports to AF42 (UDP)" 1056 | 1057 | # Zoom, Microsoft Teams, Skype, FaceTime, GoToMeeting, Webex Meeting, Jitsi Meet, Google Meet and TeamViewer 1058 | meta nfproto ipv6 tcp sport { 8801-8802, 5004, 5349, 5938 } counter ip6 dscp set af41 comment "Known video conferencing ports to AF41 (TCP)" 1059 | meta nfproto ipv6 tcp dport { 8801-8802, 5004, 5349, 5938 } counter ip6 dscp set af41 comment "Known video conferencing ports to AF41 (TCP)" 1060 | meta nfproto ipv6 udp sport { 3478-3497, 8801-8810, 16384-16387, 16393-16402, 1853, 8200, 9000, 10000, 19302-19309, 5938 } counter ip6 dscp set af41 comment "Known video conferencing ports to AF41 (UDP)" 1061 | meta nfproto ipv6 udp dport { 3478-3497, 8801-8810, 16384-16387, 16393-16402, 1853, 8200, 9000, 10000, 19302-19309, 5938 } counter ip6 dscp set af41 comment "Known video conferencing ports to AF41 (UDP)" 1062 | 1063 | # Voice over Internet Protocol (VoIP) and Voice over WiFi or WiFi Calling (VoWiFi) 1064 | meta nfproto ipv6 tcp sport { 5060-5061 } counter ip6 dscp set ef comment "Known VoIP and VoWiFi ports to EF (TCP)" 1065 | meta nfproto ipv6 tcp dport { 5060-5061 } counter ip6 dscp set ef comment "Known VoIP and VoWiFi ports to EF (TCP)" 1066 | meta nfproto ipv6 udp sport { 5060-5061, 500, 4500 } counter ip6 dscp set ef comment "Known VoIP and VoWiFi ports to EF (UDP)" 1067 | meta nfproto ipv6 udp dport { 5060-5061, 500, 4500 } counter ip6 dscp set ef comment "Known VoIP and VoWiFi ports to EF (UDP)" 1068 | 1069 | # Packet mark for Usenet, BitTorrent and "custom bulk ports" to be excluded 1070 | meta nfproto ipv6 tcp sport { 119, 563, 6881-7000, 9000, 28221, 30301, 41952, 49160, 51413, $TCP_SRC_BULK_PORTS } ip6 dscp cs1 counter meta mark set 70 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (TCP)" 1071 | meta nfproto ipv6 tcp dport { 119, 563, 6881-7000, 9000, 28221, 30301, 41952, 49160, 51413, $TCP_DST_BULK_PORTS } ip6 dscp cs1 counter meta mark set 71 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (TCP)" 1072 | meta nfproto ipv6 udp sport { 6771, 6881-7000, 28221, 30301, 41952, 49160, 51413, $UDP_SRC_BULK_PORTS } ip6 dscp cs1 counter meta mark set 72 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (UDP)" 1073 | meta nfproto ipv6 udp dport { 6771, 6881-7000, 28221, 30301, 41952, 49160, 51413, $UDP_DST_BULK_PORTS } ip6 dscp cs1 counter meta mark set 73 comment "Packet mark for Usenet, BitTorrent and custom bulk ports to be excluded (UDP)" 1074 | 1075 | # Unmarked TCP traffic 1076 | meta nfproto ipv6 tcp sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } tcp dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 70, 71 } meta length 0-1256 limit rate over 200/second burst 100 packets ip6 dscp cs1 counter meta mark set 75 comment "Packet mark for unmarked TCP traffic of packet lengths between 0 and 1256 bytes that have more than 200 pps" 1077 | meta nfproto ipv6 meta l4proto tcp numgen random mod 1000 < 5 meta mark 75 counter meta mark set 0 comment "0.5% probability of unmark a packet that go over 200 pps to be prioritized to $DSCP_GAMING_COMMENT (TCP)" 1078 | meta nfproto ipv6 meta l4proto tcp meta length 0-77 ct direction reply meta mark 75 counter ip6 dscp set af41 comment "Prioritize ingress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 200 pps to AF41 (TCP)" 1079 | meta nfproto ipv6 meta l4proto tcp meta length 0-77 ct direction original meta mark 75 counter ip6 dscp set cs0 comment "Prioritize egress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 200 pps to CS0 (TCP)" 1080 | meta nfproto ipv6 meta l4proto tcp meta length > 77 meta mark 75 counter ip6 dscp set af41 comment "Prioritize unmarked traffic of packet lengths between 77 and 1256 bytes that have more than 200 pps to AF41 (TCP)" 1081 | meta nfproto ipv6 tcp sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } tcp dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 70, 71, 75 } meta length 0-1256 ip6 dscp cs1 counter ip6 dscp set $DSCP_GAMING comment "Prioritize unmarked traffic of packet lengths between 0 and 1256 bytes that have less than 200 pps to $DSCP_GAMING_COMMENT (TCP)" 1082 | 1083 | # Unmarked UDP traffic (Some games also tend to use really tiny packets on upload side (same range as ACKs)) 1084 | meta nfproto ipv6 udp sport != { 80, 443 } udp dport != { 80, 443 } meta mark != { 72, 73 } meta length 0-1256 limit rate over 250/second burst 100 packets ip6 dscp cs1 counter meta mark set 80 comment "Packet mark for unmarked UDP traffic of packet lengths between 0 and 1256 bytes that have more than 250 pps" 1085 | meta nfproto ipv6 meta l4proto udp numgen random mod 1000 < 5 meta mark 80 counter meta mark set 0 comment "0.5% probability of unmark a packet that go over 250 pps to be prioritized to $DSCP_GAMING_COMMENT (UDP)" 1086 | meta nfproto ipv6 meta l4proto udp meta length 0-77 ct direction reply meta mark 80 counter ip6 dscp set af41 comment "Prioritize ingress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 250 pps to AF41 (UDP)" 1087 | meta nfproto ipv6 meta l4proto udp meta length 0-77 ct direction original meta mark 80 counter ip6 dscp set cs0 comment "Prioritize egress unmarked traffic of packet lengths between 0 and 77 bytes that have more than 250 pps to CS0 (UDP)" 1088 | meta nfproto ipv6 meta l4proto udp meta length > 77 meta mark 80 counter ip6 dscp set af41 comment "Prioritize unmarked traffic of packet lengths between 77 and 1256 bytes that have more than 250 pps to AF41 (UDP)" 1089 | meta nfproto ipv6 udp sport != { 80, 443 } udp dport != { 80, 443 } meta mark != { 72, 73, 80 } meta length 0-1256 ip6 dscp cs1 counter ip6 dscp set $DSCP_GAMING comment "Prioritize unmarked traffic of packet lengths between 0 and 1256 bytes that have less than 250 pps to $DSCP_GAMING_COMMENT (UDP) - Gaming & VoIP" 1090 | 1091 | ## Custom port rules (IPv6) ## 1092 | 1093 | # Game ports - Used by games 1094 | meta nfproto ipv6 tcp sport { $TCP_SRC_GAME_PORTS } counter ip6 dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (TCP)" 1095 | meta nfproto ipv6 tcp dport { $TCP_DST_GAME_PORTS } counter ip6 dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (TCP)" 1096 | meta nfproto ipv6 udp sport { $UDP_SRC_GAME_PORTS } counter ip6 dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (UDP)" 1097 | meta nfproto ipv6 udp dport { $UDP_DST_GAME_PORTS } counter ip6 dscp set $DSCP_GAMING comment "Game ports to $DSCP_GAMING_COMMENT (UDP)" 1098 | 1099 | # Bulk ports - Used for 'bulk traffic' such as "BitTorrent" 1100 | meta nfproto ipv6 tcp sport { $TCP_SRC_BULK_PORTS } counter ip6 dscp set cs1 comment "Bulk ports to CS1 (TCP)" 1101 | meta nfproto ipv6 tcp dport { $TCP_DST_BULK_PORTS } counter ip6 dscp set cs1 comment "Bulk ports to CS1 (TCP)" 1102 | meta nfproto ipv6 udp sport { $UDP_SRC_BULK_PORTS } counter ip6 dscp set cs1 comment "Bulk ports to CS1 (UDP)" 1103 | meta nfproto ipv6 udp dport { $UDP_DST_BULK_PORTS } counter ip6 dscp set cs1 comment "Bulk ports to CS1 (UDP)" 1104 | 1105 | # Other ports [OPTIONAL] - Mark wherever you want 1106 | meta nfproto ipv6 tcp sport { $TCP_SRC_OTHER_PORTS } counter ip6 dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (TCP)" 1107 | meta nfproto ipv6 tcp dport { $TCP_DST_OTHER_PORTS } counter ip6 dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (TCP)" 1108 | meta nfproto ipv6 udp sport { $UDP_SRC_OTHER_PORTS } counter ip6 dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (UDP)" 1109 | meta nfproto ipv6 udp dport { $UDP_DST_OTHER_PORTS } counter ip6 dscp set $DSCP_OTHER_PORTS comment "Other ports to $DSCP_OTHER_PORTS_COMMENT (UDP)" 1110 | 1111 | } 1112 | 1113 | 1114 | chain dscp_marking_ip_addresses_ipv4 { 1115 | 1116 | ## IP address rules (IPv4) ## 1117 | 1118 | # Game consoles (Static IP) - Will cover all ports (except ports 80, 443, 8080, Live Streaming and BitTorrent) 1119 | ip daddr { $IPV4_GAME_CONSOLES_STATIC_IP } meta l4proto { tcp, udp } th sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } th dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 40, 41, 42, 43 } counter ip dscp set $DSCP_GAMING comment "Game consoles to $DSCP_GAMING_COMMENT (TCP and UDP)" 1120 | ip saddr { $IPV4_GAME_CONSOLES_STATIC_IP } meta l4proto { tcp, udp } th sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } th dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 40, 41, 42, 43 } counter ip dscp set $DSCP_GAMING comment "Game consoles to $DSCP_GAMING_COMMENT (TCP and UDP)" 1121 | 1122 | # TorrentBox (Static IP) - Mark 'all traffic' as bulk 1123 | ip daddr { $IPV4_TORRENTBOX_STATIC_IP } counter ip dscp set cs1 comment "TorrentBox to CS1" 1124 | ip saddr { $IPV4_TORRENTBOX_STATIC_IP } counter ip dscp set cs1 comment "TorrentBox to CS1" 1125 | 1126 | # Other static IP addresses [OPTIONAL] - Mark 'all traffic' wherever you want 1127 | ip daddr { $IPV4_OTHER_STATIC_IP } counter ip dscp set $DSCP_OTHER_STATIC_IP comment "Other static IP addresses to $DSCP_OTHER_STATIC_IP_COMMENT" 1128 | ip saddr { $IPV4_OTHER_STATIC_IP } counter ip dscp set $DSCP_OTHER_STATIC_IP comment "Other static IP addresses to $DSCP_OTHER_STATIC_IP_COMMENT" 1129 | 1130 | } 1131 | 1132 | 1133 | chain dscp_marking_ip_addresses_ipv6 { 1134 | 1135 | ## IP address rules (IPv6) ## 1136 | 1137 | # Game consoles (Static IP) - Will cover all ports (except ports 80, 443, 8080, Live Streaming and BitTorrent) 1138 | ip6 daddr { $IPV6_GAME_CONSOLES_STATIC_IP } meta l4proto { tcp, udp } th sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } th dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 70, 71, 72, 73 } counter ip6 dscp set $DSCP_GAMING comment "Game consoles to $DSCP_GAMING_COMMENT (TCP and UDP)" 1139 | ip6 saddr { $IPV6_GAME_CONSOLES_STATIC_IP } meta l4proto { tcp, udp } th sport != { 80, 443, 8080, 1935-1936, 2396, 2935 } th dport != { 80, 443, 8080, 1935-1936, 2396, 2935 } meta mark != { 70, 71, 72, 73 } counter ip6 dscp set $DSCP_GAMING comment "Game consoles to $DSCP_GAMING_COMMENT (TCP and UDP)" 1140 | 1141 | # TorrentBox (Static IP) - Mark 'all traffic' as bulk 1142 | ip6 daddr { $IPV6_TORRENTBOX_STATIC_IP } counter ip6 dscp set cs1 comment "TorrentBox to CS1" 1143 | ip6 saddr { $IPV6_TORRENTBOX_STATIC_IP } counter ip6 dscp set cs1 comment "TorrentBox to CS1" 1144 | 1145 | # Other static IP addresses [OPTIONAL] - Mark 'all traffic' wherever you want 1146 | ip6 daddr { $IPV6_OTHER_STATIC_IP } counter ip6 dscp set $DSCP_OTHER_STATIC_IP comment "Other static IP addresses to $DSCP_OTHER_STATIC_IP_COMMENT" 1147 | ip6 saddr { $IPV6_OTHER_STATIC_IP } counter ip6 dscp set $DSCP_OTHER_STATIC_IP comment "Other static IP addresses to $DSCP_OTHER_STATIC_IP_COMMENT" 1148 | 1149 | } 1150 | RULES 1151 | 1152 | ############################################################ 1153 | 1154 | ## Default chain for the rules 1155 | if [ "$CHAIN" = "FORWARD" ]; then 1156 | # FORWARD 1157 | grep "jump" /tmp/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 || sed -i "14,17 s/#/ /" /tmp/00-rules.nft > /dev/null 2>&1 1158 | grep "jump" /tmp/00-rules.nft | sed '5q;d' | grep "# " > /dev/null 2>&1 || sed -i "22 s/c/#c/; 23,29 s/ /#/; 31 s/}/#}/" /tmp/00-rules.nft > /dev/null 2>&1 1159 | elif [ "$CHAIN" != "FORWARD" ]; then 1160 | # POSTROUTING 1161 | grep "jump" /tmp/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 || sed -i "14,17 s/ /#/" /tmp/00-rules.nft > /dev/null 2>&1 1162 | grep "jump" /tmp/00-rules.nft | sed '5q;d' | grep " " > /dev/null 2>&1 || sed -i "22 s/#c/c/; 23,29 s/#/ /; 31 s/#}/}/" /tmp/00-rules.nft > /dev/null 2>&1 1163 | fi 1164 | 1165 | ############################################################ 1166 | 1167 | ### Known rules ### 1168 | 1169 | ## BROADCAST VIDEO rules 1170 | if [ "$BROADCAST_VIDEO" = "yes" ]; then 1171 | # Enable 1172 | grep "Live Streaming ports to" /tmp/00-rules.nft | grep " " > /dev/null 2>&1 || sed -i '/Live Streaming ports to/s/# / /g' /tmp/00-rules.nft > /dev/null 2>&1 1173 | elif [ "$BROADCAST_VIDEO" != "yes" ]; then 1174 | # Disable 1175 | grep "Live Streaming ports to" /tmp/00-rules.nft | grep "# " > /dev/null 2>&1 || sed -i '/Live Streaming ports to/s/ /# /g' /tmp/00-rules.nft > /dev/null 2>&1 1176 | fi 1177 | 1178 | ## GAMING rules 1179 | if [ "$GAMING" = "yes" ]; then 1180 | # Enable 1181 | grep "Known game ports" /tmp/00-rules.nft | grep " " > /dev/null 2>&1 || sed -i '/Known game ports/s/# / /g' /tmp/00-rules.nft > /dev/null 2>&1 1182 | elif [ "$GAMING" != "yes" ]; then 1183 | # Disable 1184 | grep "Known game ports" /tmp/00-rules.nft | grep "# " > /dev/null 2>&1 || sed -i '/Known game ports/s/ /# /g' /tmp/00-rules.nft > /dev/null 2>&1 1185 | fi 1186 | 1187 | ## GAME STREAMING rules 1188 | if [ "$GAME_STREAMING" = "yes" ]; then 1189 | # Enable 1190 | grep "Known game streaming" /tmp/00-rules.nft | grep " " > /dev/null 2>&1 || sed -i '/Known game streaming/s/# / /g' /tmp/00-rules.nft > /dev/null 2>&1 1191 | elif [ "$GAME_STREAMING" != "yes" ]; then 1192 | # Disable 1193 | grep "Known game streaming" /tmp/00-rules.nft | grep "# " > /dev/null 2>&1 || sed -i '/Known game streaming/s/ /# /g' /tmp/00-rules.nft > /dev/null 2>&1 1194 | fi 1195 | 1196 | ## MULTIMEDIA CONFERENCING rules 1197 | if [ "$MULTIMEDIA_CONFERENCING" = "yes" ]; then 1198 | # Enable 1199 | grep "Known video conferencing ports to" /tmp/00-rules.nft | grep " " > /dev/null 2>&1 || sed -i '/Known video conferencing ports to/s/# / /g' /tmp/00-rules.nft > /dev/null 2>&1 1200 | elif [ "$MULTIMEDIA_CONFERENCING" != "yes" ]; then 1201 | # Disable 1202 | grep "Known video conferencing ports to" /tmp/00-rules.nft | grep "# " > /dev/null 2>&1 || sed -i '/Known video conferencing ports to/s/ /# /g' /tmp/00-rules.nft > /dev/null 2>&1 1203 | fi 1204 | 1205 | ## TELEPHONY rules 1206 | if [ "$TELEPHONY" = "yes" ]; then 1207 | # Enable 1208 | grep "Known VoIP and VoWiFi ports to" /tmp/00-rules.nft | grep " " > /dev/null 2>&1 || sed -i '/Known VoIP and VoWiFi ports to/s/# / /g' /tmp/00-rules.nft > /dev/null 2>&1 1209 | elif [ "$TELEPHONY" != "yes" ]; then 1210 | # Disable 1211 | grep "Known VoIP and VoWiFi ports to" /tmp/00-rules.nft | grep "# " > /dev/null 2>&1 || sed -i '/Known VoIP and VoWiFi ports to/s/ /# /g' /tmp/00-rules.nft > /dev/null 2>&1 1212 | fi 1213 | 1214 | ############################################################ 1215 | 1216 | ### Custom port rules ### 1217 | 1218 | ## Game ports - Used by games 1219 | if [ "$TCP_SRC_GAME_PORTS" != "" ]; then 1220 | # Enable 1221 | grep "Game ports to" /tmp/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1222 | grep "Game ports to" /tmp/00-rules.nft | sed '5q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{4\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1223 | elif [ "$TCP_SRC_GAME_PORTS" = "" ]; then 1224 | # Disable 1225 | grep "Game ports to" /tmp/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1226 | grep "Game ports to" /tmp/00-rules.nft | sed '5q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{4\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1227 | fi 1228 | if [ "$TCP_DST_GAME_PORTS" != "" ]; then 1229 | # Enable 1230 | grep "Game ports to" /tmp/00-rules.nft | sed '2q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1231 | grep "Game ports to" /tmp/00-rules.nft | sed '6q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{5\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1232 | elif [ "$TCP_DST_GAME_PORTS" = "" ]; then 1233 | # Disable 1234 | grep "Game ports to" /tmp/00-rules.nft | sed '2q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1235 | grep "Game ports to" /tmp/00-rules.nft | sed '6q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{5\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1236 | fi 1237 | if [ "$UDP_SRC_GAME_PORTS" != "" ]; then 1238 | # Enable 1239 | grep "Game ports to" /tmp/00-rules.nft | sed '3q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1240 | grep "Game ports to" /tmp/00-rules.nft | sed '7q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{6\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1241 | elif [ "$UDP_SRC_GAME_PORTS" = "" ]; then 1242 | # Disable 1243 | grep "Game ports to" /tmp/00-rules.nft | sed '3q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1244 | grep "Game ports to" /tmp/00-rules.nft | sed '7q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{6\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1245 | fi 1246 | if [ "$UDP_DST_GAME_PORTS" != "" ]; then 1247 | # Enable 1248 | grep "Game ports to" /tmp/00-rules.nft | sed '4q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1249 | grep "Game ports to" /tmp/00-rules.nft | sed '8q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{7\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1250 | elif [ "$UDP_DST_GAME_PORTS" = "" ]; then 1251 | # Disable 1252 | grep "Game ports to" /tmp/00-rules.nft | sed '4q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1253 | grep "Game ports to" /tmp/00-rules.nft | sed '8q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game ports to/{G;s/\nX\{7\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1254 | fi 1255 | 1256 | ## Bulk ports - Used for 'bulk traffic' such as "BitTorrent" 1257 | if [ "$TCP_SRC_BULK_PORTS" != "" ]; then 1258 | # Enable 1259 | grep "Bulk ports to" /tmp/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1260 | grep "Bulk ports to" /tmp/00-rules.nft | sed '5q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{4\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1261 | elif [ "$TCP_SRC_BULK_PORTS" = "" ]; then 1262 | # Disable 1263 | grep "Bulk ports to" /tmp/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1264 | grep "Bulk ports to" /tmp/00-rules.nft | sed '5q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{4\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1265 | fi 1266 | if [ "$TCP_DST_BULK_PORTS" != "" ]; then 1267 | # Enable 1268 | grep "Bulk ports to" /tmp/00-rules.nft | sed '2q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1269 | grep "Bulk ports to" /tmp/00-rules.nft | sed '6q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{5\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1270 | elif [ "$TCP_DST_BULK_PORTS" = "" ]; then 1271 | # Disable 1272 | grep "Bulk ports to" /tmp/00-rules.nft | sed '2q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1273 | grep "Bulk ports to" /tmp/00-rules.nft | sed '6q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{5\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1274 | fi 1275 | if [ "$UDP_SRC_BULK_PORTS" != "" ]; then 1276 | # Enable 1277 | grep "Bulk ports to" /tmp/00-rules.nft | sed '3q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1278 | grep "Bulk ports to" /tmp/00-rules.nft | sed '7q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{6\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1279 | elif [ "$UDP_SRC_BULK_PORTS" = "" ]; then 1280 | # Disable 1281 | grep "Bulk ports to" /tmp/00-rules.nft | sed '3q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1282 | grep "Bulk ports to" /tmp/00-rules.nft | sed '7q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{6\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1283 | fi 1284 | if [ "$UDP_DST_BULK_PORTS" != "" ]; then 1285 | # Enable 1286 | grep "Bulk ports to" /tmp/00-rules.nft | sed '4q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1287 | grep "Bulk ports to" /tmp/00-rules.nft | sed '8q;d' | grep " " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{7\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1288 | elif [ "$UDP_DST_BULK_PORTS" = "" ]; then 1289 | # Disable 1290 | grep "Bulk ports to" /tmp/00-rules.nft | sed '4q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1291 | grep "Bulk ports to" /tmp/00-rules.nft | sed '8q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Bulk ports to/{G;s/\nX\{7\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1292 | fi 1293 | 1294 | ## Other ports [OPTIONAL] - Mark wherever you want 1295 | if [ "$TCP_SRC_OTHER_PORTS" != "" ]; then 1296 | # Enable 1297 | grep "Other ports to" /tmp/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1298 | grep "Other ports to" /tmp/00-rules.nft | sed '5q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{4\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1299 | elif [ "$TCP_SRC_OTHER_PORTS" = "" ]; then 1300 | # Disable 1301 | grep "Other ports to" /tmp/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1302 | grep "Other ports to" /tmp/00-rules.nft | sed '5q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{4\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1303 | fi 1304 | if [ "$TCP_DST_OTHER_PORTS" != "" ]; then 1305 | # Enable 1306 | grep "Other ports to" /tmp/00-rules.nft | sed '2q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1307 | grep "Other ports to" /tmp/00-rules.nft | sed '6q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{5\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1308 | elif [ "$TCP_DST_OTHER_PORTS" = "" ]; then 1309 | # Disable 1310 | grep "Other ports to" /tmp/00-rules.nft | sed '2q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1311 | grep "Other ports to" /tmp/00-rules.nft | sed '6q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{5\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1312 | fi 1313 | if [ "$UDP_SRC_OTHER_PORTS" != "" ]; then 1314 | # Enable 1315 | grep "Other ports to" /tmp/00-rules.nft | sed '3q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1316 | grep "Other ports to" /tmp/00-rules.nft | sed '7q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{6\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1317 | elif [ "$UDP_SRC_OTHER_PORTS" = "" ]; then 1318 | # Disable 1319 | grep "Other ports to" /tmp/00-rules.nft | sed '3q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1320 | grep "Other ports to" /tmp/00-rules.nft | sed '7q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{6\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1321 | fi 1322 | if [ "$UDP_DST_OTHER_PORTS" != "" ]; then 1323 | # Enable 1324 | grep "Other ports to" /tmp/00-rules.nft | sed '4q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1325 | grep "Other ports to" /tmp/00-rules.nft | sed '8q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{7\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1326 | elif [ "$UDP_DST_OTHER_PORTS" = "" ]; then 1327 | # Disable 1328 | grep "Other ports to" /tmp/00-rules.nft | sed '4q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1329 | grep "Other ports to" /tmp/00-rules.nft | sed '8q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other ports to/{G;s/\nX\{7\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1330 | fi 1331 | 1332 | ############################################################ 1333 | 1334 | ### IP address rules ### 1335 | 1336 | ## Game consoles (Static IP) - Will cover all ports (except ports 80, 443, 8080, Live Streaming and BitTorrent) 1337 | if [ "$IPV4_GAME_CONSOLES_STATIC_IP" != "" ]; then 1338 | # Enable 1339 | grep "Game consoles to" /tmp/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1340 | grep "Game consoles to" /tmp/00-rules.nft | sed '2q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1341 | elif [ "$IPV4_GAME_CONSOLES_STATIC_IP" = "" ]; then 1342 | # Disable 1343 | grep "Game consoles to" /tmp/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1344 | grep "Game consoles to" /tmp/00-rules.nft | sed '2q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1345 | fi 1346 | if [ "$IPV6_GAME_CONSOLES_STATIC_IP" != "" ]; then 1347 | # Enable 1348 | grep "Game consoles to" /tmp/00-rules.nft | sed '3q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1349 | grep "Game consoles to" /tmp/00-rules.nft | sed '4q;d' | grep " " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1350 | elif [ "$IPV6_GAME_CONSOLES_STATIC_IP" = "" ]; then 1351 | # Disable 1352 | grep "Game consoles to" /tmp/00-rules.nft | sed '3q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1353 | grep "Game consoles to" /tmp/00-rules.nft | sed '4q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Game consoles to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1354 | fi 1355 | 1356 | ## TorrentBox (Static IP) - Mark 'all traffic' as bulk 1357 | if [ "$IPV4_TORRENTBOX_STATIC_IP" != "" ]; then 1358 | # Enable 1359 | grep "TorrentBox to" /tmp/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1360 | grep "TorrentBox to" /tmp/00-rules.nft | sed '2q;d' | grep " " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1361 | elif [ "$IPV4_TORRENTBOX_STATIC_IP" = "" ]; then 1362 | # Disable 1363 | grep "TorrentBox to" /tmp/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1364 | grep "TorrentBox to" /tmp/00-rules.nft | sed '2q;d' | grep "# " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1365 | fi 1366 | if [ "$IPV6_TORRENTBOX_STATIC_IP" != "" ]; then 1367 | # Enable 1368 | grep "TorrentBox to" /tmp/00-rules.nft | sed '3q;d' | grep " " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1369 | grep "TorrentBox to" /tmp/00-rules.nft | sed '4q;d' | grep " " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1370 | elif [ "$IPV6_TORRENTBOX_STATIC_IP" = "" ]; then 1371 | # Disable 1372 | grep "TorrentBox to" /tmp/00-rules.nft | sed '3q;d' | grep "# " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1373 | grep "TorrentBox to" /tmp/00-rules.nft | sed '4q;d' | grep "# " > /dev/null 2>&1 || sed -i '/TorrentBox to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1374 | fi 1375 | 1376 | ## Other static IP addresses [OPTIONAL] - Mark 'all traffic' wherever you want 1377 | if [ "$IPV4_OTHER_STATIC_IP" != "" ]; then 1378 | # Enable 1379 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '1q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1380 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '2q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1381 | elif [ "$IPV4_OTHER_STATIC_IP" = "" ]; then 1382 | # Disable 1383 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '1q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{0\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1384 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '2q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{1\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1385 | fi 1386 | if [ "$IPV6_OTHER_STATIC_IP" != "" ]; then 1387 | # Enable 1388 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '3q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1389 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '4q;d' | grep " " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/# / /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1390 | elif [ "$IPV6_OTHER_STATIC_IP" = "" ]; then 1391 | # Disable 1392 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '3q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{2\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1393 | grep "Other static IP addresses to" /tmp/00-rules.nft | sed '4q;d' | grep "# " > /dev/null 2>&1 || sed -i '/Other static IP addresses to/{G;s/\nX\{3\}//;tend;x;s/^/X/;x};P;d;:end;s/ /# /;:a;n;ba' /tmp/00-rules.nft > /dev/null 2>&1 1394 | fi 1395 | 1396 | ############################################################ 1397 | 1398 | ### nft file ### 1399 | 1400 | ## Copy the already edited *.nft file to the directory "/etc/nftables.d" 1401 | cp "/tmp/00-rules.nft" "/etc/nftables.d/00-rules.nft" 1402 | 1403 | fi 1404 | 1405 | ############################################################ 1406 | 1407 | ## Reload the firewall to update the rules and check that there are no problems with the rules 1408 | fw4 reload 1409 | 1410 | ########################################################### 1411 | --------------------------------------------------------------------------------