Google
  Web www.spinics.net

RE: Marking and remarking of incoming traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


It looks like some support for this command is not functioning
correctly.  

 --set-dscp value              Set DSCP field in packet header to value
                                This value can be in decimal (ex: 32)
                        	or in hex (ex: 0x20)
  --set-dscp-class class        Set the DSCP field in packet header to
the
                                value represented by the DiffServ class
value.
                                This class may be EF,BE or any of the
CSxx or AFxx classes.

Am I typing something wrong here?
1.)
// This works fine
iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j
DSCP --set-dscp-class AF31 

2.)
//This doesn't work
iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j
DSCP --set-dscp 0x20 
ERROR: iptables: Bad rule (does a matching rule exist in that chain?)
// There is no existing rule
iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range
192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above
ERROR: iptables v1.3.5: DSCP `104` out of range
// it looks like I should be able to use hex values but it doesn't seem
to work

3.)
//doesn't work
iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j
DSCP --set-dscp-class CSxx
// I can't seem to figure out what should go after the Class Selector
"CS"

Any help on this issue would be appreciated.  Thanks.  

Jon Flechsenhaar
Boeing WNW Team
Network Services
(714)-762-1231
202-E7

-----Original Message-----
From: Tim Enos [mailto:tenos@xxxxxxxxxx] 
Sent: Tuesday, August 07, 2007 7:34 AM
To: Flechsenhaar, Jon J
Subject: RE:  Marking and remarking of incoming traffic

It has convenient keywords (hence the --set-dscp-class option) and
individual DSCP values that can be set (if memory serves me, they can be
set in either hex or decimal).

It might be useful (for the connection-oriented traffic anyhow) to
(re)mark traffic based upon the setting of the ECN bits. In any case, I
too was glad to see DSCP could be specified (especially since ceteris
paribus the DSCP markings of traffic coming into a DS domain are not
trusted by it).

> -----Original Message-----
> From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@xxxxxxxxxx]
> Sent: Monday, August 06, 2007 8:01 PM
> To: Tim Enos
> Subject: RE:  Marking and remarking of incoming traffic
> 
> Thanks.  I saw that command but I was looking at the TOS parameters.
> Didn't realize that there were also DSCP values.
> 
> 
> Jon Flechsenhaar
> Boeing WNW Team
> Network Services
> (714)-762-1231
> 202-E7
> 
> -----Original Message-----
> From: Tim Enos [mailto:tenos@xxxxxxxxxx]
> Sent: Monday, August 06, 2007 4:42 PM
> To: LARTC@xxxxxxxxxxxxxxx
> Subject: RE:  Marking and remarking of incoming traffic
> 
> Hi Jon,
> 
> You can use iptables to mark/change the DSCP value of an incoming 
> packet on the ingress side. An example is below (where $in_dev can be 
> whatever your input interface is):
> 
> ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP 
> --set-dscp-class BE
> 
> Basically the above example (re)marks all www traffic (meant to be 
> forwarded through this node) entering via $in_dev to BE.
> 
> There is a decent (IMO) manpage for iptables (there are too many 
> permutations/combinations of options to list here).
> 
> > -----Original Message-----
> > From: lartc-bounces@xxxxxxxxxxxxxxx
> > [mailto:lartc-bounces@xxxxxxxxxxxxxxx]
> > On Behalf Of Flechsenhaar, Jon J
> > Sent: Monday, August 06, 2007 7:08 PM
> > To: LARTC@xxxxxxxxxxxxxxx
> > Subject:  Marking and remarking of incoming traffic
> >
> > I can use DSMARK to mark on the Egress side.  Is there a way to 
> > mark/change the DSCP value of an incoming packet on the ingress
side?
> > Thanks.
> >
> >
> > Jon Flechsenhaar
> > Boeing WNW Team
> > Network Services
> > (714)-762-1231
> > 202-E7
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@xxxxxxxxxxxxxxx
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux