cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(deploy): nftables uid-based DSCP-EF + skb-priority marking for srcds

Browse source 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand 2026-05-10 00:32:53 +02:00
parent e822e9fbc7
commit 076bfb72ca
No known key found for this signature in database
2 changed files with 35 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft Normal file
View file

@ -0,0 +1,12 @@
# left4me — uid-based DSCP/priority marking for srcds UDP egress.
# Loaded by left4me-nft-mark.service into its own `inet` table so it cannot
# conflict with whatever the operator already runs in /etc/nftables.conf.
# See docs/superpowers/specs/2026-05-10-l4d2-network-shaping-design.md.
table inet left4me_mark {
chain mangle_output {
type filter hook output priority mangle; policy accept;
meta skuid "left4me" meta l4proto udp ip dscp set ef meta priority set 0006:0000
meta skuid "left4me" meta l4proto udp ip6 dscp set ef meta priority set 0006:0000
}
}

23
deploy/tests/test_deploy_artifacts.py
View file

@ -24,6 +24,7 @@ SUDOERS = DEPLOY / "files/etc/sudoers.d/left4me"
HOST_ENV = DEPLOY / "templates/etc/left4me/host.env" HOST_ENV = DEPLOY / "templates/etc/left4me/host.env"
WEB_ENV_TEMPLATE = DEPLOY / "templates/etc/left4me/web.env.template" WEB_ENV_TEMPLATE = DEPLOY / "templates/etc/left4me/web.env.template"
DEPLOY_SCRIPT = DEPLOY / "deploy-test-server.sh" DEPLOY_SCRIPT = DEPLOY / "deploy-test-server.sh"
NFT_MARK_FILE = DEPLOY / "files/usr/local/lib/left4me/nft/left4me-mark.nft"
def test_global_unit_files_exist_at_product_level_paths(): def test_global_unit_files_exist_at_product_level_paths():
@ -712,3 +713,25 @@ def test_script_sandbox_helper_dry_run_mode(tmp_path):
# verify the dry-run guard short-circuits before systemd-run / bwrap. # verify the dry-run guard short-circuits before systemd-run / bwrap.
assert 'LEFT4ME_SCRIPT_SANDBOX_DRY_RUN' in helper_text assert 'LEFT4ME_SCRIPT_SANDBOX_DRY_RUN' in helper_text
assert 'exit 0' in helper_text assert 'exit 0' in helper_text
def test_nft_mark_file_marks_left4me_udp_with_dscp_ef_and_priority():
assert NFT_MARK_FILE.is_file()
text = NFT_MARK_FILE.read_text()
# Own table in the inet family so it cannot conflict with operator nftables config.
assert "table inet left4me_mark" in text
assert "chain mangle_output" in text
assert "type filter hook output priority mangle" in text
# Match by uid (every srcds runs as `left4me`) restricted to UDP.
assert 'meta skuid "left4me"' in text
assert "meta l4proto udp" in text
# DSCP EF for both L3 families; in `inet` tables, `ip` only fires on v4
# and `ip6` only on v6.
assert "ip dscp set ef" in text
assert "ip6 dscp set ef" in text
# skb->priority class 6:0, set inline alongside DSCP.
assert "meta priority set 0006:0000" in text