From 076bfb72ca331904be7bcbeee85d93e960ad4226 Mon Sep 17 00:00:00 2001
From: mwiegand <martin.wiegand@seibert.group>
Date: Sun, 10 May 2026 00:32:53 +0200
Subject: [PATCH] feat(deploy): nftables uid-based DSCP-EF + skb-priority
 marking for srcds

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../local/lib/left4me/nft/left4me-mark.nft    | 12 ++++++++++
 deploy/tests/test_deploy_artifacts.py         | 23 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft

diff --git a/deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft b/deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft
new file mode 100644
index 0000000..1098266
--- /dev/null
+++ b/deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft
@@ -0,0 +1,12 @@
+# left4me — uid-based DSCP/priority marking for srcds UDP egress.
+# Loaded by left4me-nft-mark.service into its own `inet` table so it cannot
+# conflict with whatever the operator already runs in /etc/nftables.conf.
+# See docs/superpowers/specs/2026-05-10-l4d2-network-shaping-design.md.
+
+table inet left4me_mark {
+    chain mangle_output {
+        type filter hook output priority mangle; policy accept;
+        meta skuid "left4me" meta l4proto udp ip dscp set ef meta priority set 0006:0000
+        meta skuid "left4me" meta l4proto udp ip6 dscp set ef meta priority set 0006:0000
+    }
+}
diff --git a/deploy/tests/test_deploy_artifacts.py b/deploy/tests/test_deploy_artifacts.py
index d9c406d..0774c79 100644
--- a/deploy/tests/test_deploy_artifacts.py
+++ b/deploy/tests/test_deploy_artifacts.py
@@ -24,6 +24,7 @@ SUDOERS = DEPLOY / "files/etc/sudoers.d/left4me"
 HOST_ENV = DEPLOY / "templates/etc/left4me/host.env"
 WEB_ENV_TEMPLATE = DEPLOY / "templates/etc/left4me/web.env.template"
 DEPLOY_SCRIPT = DEPLOY / "deploy-test-server.sh"
+NFT_MARK_FILE = DEPLOY / "files/usr/local/lib/left4me/nft/left4me-mark.nft"
 
 
 def test_global_unit_files_exist_at_product_level_paths():
@@ -712,3 +713,25 @@ def test_script_sandbox_helper_dry_run_mode(tmp_path):
     # verify the dry-run guard short-circuits before systemd-run / bwrap.
     assert 'LEFT4ME_SCRIPT_SANDBOX_DRY_RUN' in helper_text
     assert 'exit 0' in helper_text
+
+
+def test_nft_mark_file_marks_left4me_udp_with_dscp_ef_and_priority():
+    assert NFT_MARK_FILE.is_file()
+    text = NFT_MARK_FILE.read_text()
+
+    # Own table in the inet family so it cannot conflict with operator nftables config.
+    assert "table inet left4me_mark" in text
+    assert "chain mangle_output" in text
+    assert "type filter hook output priority mangle" in text
+
+    # Match by uid (every srcds runs as `left4me`) restricted to UDP.
+    assert 'meta skuid "left4me"' in text
+    assert "meta l4proto udp" in text
+
+    # DSCP EF for both L3 families; in `inet` tables, `ip` only fires on v4
+    # and `ip6` only on v6.
+    assert "ip dscp set ef" in text
+    assert "ip6 dscp set ef" in text
+
+    # skb->priority class 6:0, set inline alongside DSCP.
+    assert "meta priority set 0006:0000" in text