From f280227e5d2a60acd6d427334001b28709c881eb Mon Sep 17 00:00:00 2001 From: cy Date: Tue, 20 May 2025 14:51:57 -0400 Subject: [PATCH] use nftables --- hosts/chunk/default.nix | 28 +--------------------------- hosts/common.nix | 1 + 2 files changed, 2 insertions(+), 27 deletions(-) diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 6f73eaf..8a7139e 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -1,6 +1,5 @@ { pkgs, - lib, ... }: { @@ -79,32 +78,6 @@ allowedUDPPorts = [ 443 ]; - extraCommands = - let - ethtool = lib.getExe pkgs.ethtool; - tc = lib.getExe' pkgs.iproute2 "tc"; - in - '' - # disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites) - ${ethtool} -K ens18 tso off - - # clear existing rules - ${tc} qdisc del dev ens18 root || true - - # create HTB hierarchy - ${tc} qdisc add dev ens18 root handle 1: htb default 10 - ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100% - # rest - ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100% - # caddy - ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100% - - # mark traffic - iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3 - - # route marked packets - ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30 - ''; }; interfaces.ens18 = { ipv6.addresses = [ @@ -157,6 +130,7 @@ environment.systemPackages = with pkgs; [ vim + neovim wget curl tree diff --git a/hosts/common.nix b/hosts/common.nix index b1989b1..fe6e1c6 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -56,6 +56,7 @@ "nts.teambelgium.net" "c.st1.ntp.br" ]; + nftables.enable = true; }; services.chrony = { enable = true;