What does `ipt_setup` do exactly?

[salim-b]

Hey @ricsc, thanks a lot for making your nss.qos script available via this repo.

While trying to find a reasonable SQM config on @ACwifidude's NSS build of OpenWrt (22.03 Stable), I compared your nss.qos script with @ACwifidude's configuration instructions and now I'm wondering:

What does ipt_setup exactly do?

sqm-scripts/src/nss.qos

Lines 20 to 50 in 4f3492a

	ipt_setup() {
	IFACE=eth0
	ipt -t mangle -N QOS_MARK_${IFACE}
	ipt -t mangle -A QOS_MARK_${IFACE} -j MARK --set-mark 0x2/${IPT_MASK}
	ipt -t mangle -A QOS_MARK_${IFACE} -m dscp --dscp-class CS1 -j MARK --set-mark 0x3/${IPT_MASK}
	ipt -t mangle -A QOS_MARK_${IFACE} -m dscp --dscp-class CS6 -j MARK --set-mark 0x1/${IPT_MASK}
	ipt -t mangle -A QOS_MARK_${IFACE} -m dscp --dscp-class EF -j MARK --set-mark 0x1/${IPT_MASK}
	ipt -t mangle -A QOS_MARK_${IFACE} -m dscp --dscp-class AF42 -j MARK --set-mark 0x1/${IPT_MASK}
	ipt -t mangle -A QOS_MARK_${IFACE} -m tos --tos Minimize-Delay -j MARK --set-mark 0x1/${IPT_MASK}
	# Turn it on. Preserve classification if already performed
	#
	#sm: is it correct to do this in $IFACE? Should ingress not be on $DEV? since HTB acts on $DEV?
	#
	# ZERO also does not work on $DEV (that is the IFB will still see the
	# incoming ToS bits whether we squash or not)
	#
	# ZERO is still useful to protect internal machines...
	if [ "$ZERO_DSCP_INGRESS" = "1" ]; then
	sqm_debug "Squashing differentiated services code points (DSCP) from ingress."
	ipt -t mangle -I PREROUTING -i $IFACE -m dscp ! --dscp 0 -j DSCP --set-dscp-class be
	else
	sqm_debug "Keeping differentiated services code points (DSCP) from ingress."
	ipt -t mangle -A PREROUTING -i $IFACE -m mark --mark 0x00/${IPT_MASK} -g QOS_MARK_${IFACE}
	fi
	ipt -t mangle -A POSTROUTING -o $IFACE -m mark --mark 0x00/${IPT_MASK} -g QOS_MARK_${IFACE}
	ipt -t mangle -A OUTPUT -p udp -m multiport --ports 123,53 -j DSCP --set-dscp-class AF42
	}

Or asked differently: What are potential drawbacks if we set up SQM without these iptables rules?