RE: Marking and remarking of incoming traffic

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jon,

Please see (hopefully correct and useful) comments in-line:

> -----Original Message-----
> From: lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx]
> On Behalf Of Flechsenhaar, Jon J
> Sent: Thursday, August 09, 2007 1:16 PM
> To: LARTC@xxxxxxxxxxxxxxx
> Subject: RE:  Marking and remarking of incoming traffic
> 
> It looks like some support for this command is not functioning
> correctly.
> 
>  --set-dscp value              Set DSCP field in packet header to value
>                                 This value can be in decimal (ex: 32)
>                         	or in hex (ex: 0x20)
>   --set-dscp-class class        Set the DSCP field in packet header to
> the
>                                 value represented by the DiffServ class
> value.
>                                 This class may be EF,BE or any of the
> CSxx or AFxx classes.
> 
> Am I typing something wrong here?
> 1.)
> // This works fine
> iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j
> DSCP --set-dscp-class AF31
> 
> 2.)
> //This doesn't work
> iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j
> DSCP --set-dscp 0x20
> ERROR: iptables: Bad rule (does a matching rule exist in that chain?)
> // There is no existing rule
> iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range
> 192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above
> ERROR: iptables v1.3.5: DSCP `104` out of range
> // it looks like I should be able to use hex values but it doesn't seem
> to work

Don't consider the ECN bits when doing this calculation. AF31 looks like
this: 011 010. In hex that would be 0x1a, as it is 26 in decimal notation.
See RFC 2597, section 6, and the iptables man page which (at least in my
case) includes text such as:

" dscp

       This module matches the 6 bit DSCP field within the TOS field in the

 IP header.  DSCP has superseded TOS within the IETF.

       --dscp value

              Match against a numeric (decimal or hex) value [0-32]."

> 
> 3.)
> //doesn't work
> iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j
> DSCP --set-dscp-class CSxx
> // I can't seem to figure out what should go after the Class Selector
> "CS"

CS3 would probably be the best value to use if you're looking for the
functional equivalent of AF31.

Class Selector PHBs are meant to provide backwards-compatibility with ToS.
There are eight possible values (CS0-CS7). RFC 2474 and the IANA registry
http://www.iana.org/assignments/dscp-registry are good resources for this.

> 
> Any help on this issue would be appreciated.  Thanks.
> 
> Jon Flechsenhaar
> Boeing WNW Team
> Network Services
> (714)-762-1231
> 202-E7
> 
> -----Original Message-----
> From: Tim Enos [mailto:tenos@xxxxxxxxxx]
> Sent: Tuesday, August 07, 2007 7:34 AM
> To: Flechsenhaar, Jon J
> Subject: RE:  Marking and remarking of incoming traffic
> 
> It has convenient keywords (hence the --set-dscp-class option) and
> individual DSCP values that can be set (if memory serves me, they can be
> set in either hex or decimal).
> 
> It might be useful (for the connection-oriented traffic anyhow) to
> (re)mark traffic based upon the setting of the ECN bits. In any case, I
> too was glad to see DSCP could be specified (especially since ceteris
> paribus the DSCP markings of traffic coming into a DS domain are not
> trusted by it).
> 
> > -----Original Message-----
> > From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@xxxxxxxxxx]
> > Sent: Monday, August 06, 2007 8:01 PM
> > To: Tim Enos
> > Subject: RE:  Marking and remarking of incoming traffic
> >
> > Thanks.  I saw that command but I was looking at the TOS parameters.
> > Didn't realize that there were also DSCP values.
> >
> >
> > Jon Flechsenhaar
> > Boeing WNW Team
> > Network Services
> > (714)-762-1231
> > 202-E7
> >
> > -----Original Message-----
> > From: Tim Enos [mailto:tenos@xxxxxxxxxx]
> > Sent: Monday, August 06, 2007 4:42 PM
> > To: LARTC@xxxxxxxxxxxxxxx
> > Subject: RE:  Marking and remarking of incoming traffic
> >
> > Hi Jon,
> >
> > You can use iptables to mark/change the DSCP value of an incoming
> > packet on the ingress side. An example is below (where $in_dev can be
> > whatever your input interface is):
> >
> > ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP
> > --set-dscp-class BE
> >
> > Basically the above example (re)marks all www traffic (meant to be
> > forwarded through this node) entering via $in_dev to BE.
> >
> > There is a decent (IMO) manpage for iptables (there are too many
> > permutations/combinations of options to list here).
> >
> > > -----Original Message-----
> > > From: lartc-bounces@xxxxxxxxxxxxxxx
> > > [mailto:lartc-bounces@xxxxxxxxxxxxxxx]
> > > On Behalf Of Flechsenhaar, Jon J
> > > Sent: Monday, August 06, 2007 7:08 PM
> > > To: LARTC@xxxxxxxxxxxxxxx
> > > Subject:  Marking and remarking of incoming traffic
> > >
> > > I can use DSMARK to mark on the Egress side.  Is there a way to
> > > mark/change the DSCP value of an incoming packet on the ingress
> side?
> > > Thanks.
> > >
> > >
> > > Jon Flechsenhaar
> > > Boeing WNW Team
> > > Network Services
> > > (714)-762-1231
> > > 202-E7
> > >
> > > _______________________________________________
> > > LARTC mailing list
> > > LARTC@xxxxxxxxxxxxxxx
> > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@xxxxxxxxxxxxxxx
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux