cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

use nftables

Browse source
This commit is contained in:
cy 2025-05-20 14:51:57 -04:00
parent 04bcd9eba1
commit f280227e5d
2 changed files with 2 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

28
hosts/chunk/default.nix
View file

@ -1,6 +1,5 @@
{ {
pkgs, pkgs,
lib,
... ...
}: }:
{ {
@ -79,32 +78,6 @@
allowedUDPPorts = [ allowedUDPPorts = [
443 443
]; ];
extraCommands =
let
ethtool = lib.getExe pkgs.ethtool;
tc = lib.getExe' pkgs.iproute2 "tc";
in
''
# disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
${ethtool} -K ens18 tso off
# clear existing rules
${tc} qdisc del dev ens18 root || true
# create HTB hierarchy
${tc} qdisc add dev ens18 root handle 1: htb default 10
${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
# rest
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
# mark traffic
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3
# route marked packets
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30
'';
}; };
interfaces.ens18 = { interfaces.ens18 = {
ipv6.addresses = [ ipv6.addresses = [
@ -157,6 +130,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
neovim
wget wget
curl curl
tree tree

1
hosts/common.nix
View file

@ -56,6 +56,7 @@
"nts.teambelgium.net" "nts.teambelgium.net"
"c.st1.ntp.br" "c.st1.ntp.br"
]; ];
nftables.enable = true;
}; };
services.chrony = { services.chrony = {
enable = true; enable = true;