Isn''t it possible with iptables to filter on DSCP field? Thanks, Tom Aernoudt
On Tue, 23 Jan 2001, Tom Aernoudt wrote:> > Isn''t it possible with iptables to filter on DSCP field?I don''t know, but I think this is more a question for the Netfilter list. You can find more info about netfilter on: http://netfilter.kernelnotes.org Regards.
On Tue, Jan 23, 2001 at 01:59:00PM +0100, Tom Aernoudt wrote:> > Isn''t it possible with iptables to filter on DSCP field?Why don''t you ask this question on the iptables/netfilter mailinglist? Anyway, answer is: No. Not because the framework isn''t capable of that. Just because nobody implememnted a match yet.> Thanks, > Tom Aernoudt-- Live long and prosper - Harald Welte / laforge@gnumonks.org http://www.gnumonks.org ===========================================================================GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
Talking about DSCP field... iptables is said to provide all the features of ipchains and something more and better organized, but with ipchains I was able to set all the DSCP values in the TOS field, with iptables it seems this is no more possible, only few values are permitted. For example:> iptables -t mangle -A PREROUTING -s 10.0.0.2 -j TOS --set-tos 0xb8gives me: iptables v1.1.2:Bad TOS value ''0xb8'' Am I doing something wrong? Thank you Regards, Giovanna Pavarani> > On Tue, Jan 23, 2001 at 01:59:00PM +0100, Tom Aernoudt wrote: > > > > Isn''t it possible with iptables to filter on DSCP field? > > Why don''t you ask this question on the iptables/netfilter mailinglist? > > Anyway, answer is: No. > > Not because the framework isn''t capable of that. Just because nobody > implememnted a match yet. > > > Thanks, > > Tom Aernoudt >
On Fri, 2 Feb 2001, Pavarani Giovanna wrote:> Talking about DSCP field... > > iptables is said to provide all the features of ipchains and something more and > better organized, but with ipchains I was able to set all the DSCP values > in the TOS field, with iptables it seems this is no more possible, only few > values are permitted. > > For example: > > > iptables -t mangle -A PREROUTING -s 10.0.0.2 -j TOS --set-tos 0xb8 > > gives me: > > iptables v1.1.2:Bad TOS value ''0xb8'' > > Am I doing something wrong?Yes. You need to specify two values, one and-mask and one or-mask, IIRC. The new value will be the old value anded with your and-mask and then or-ed with your or-mask. Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching
On Fri, 2 Feb 2001, Pavarani Giovanna wrote:> Talking about DSCP field... > > iptables is said to provide all the features of ipchains and something more and > better organized, but with ipchains I was able to set all the DSCP values > in the TOS field, with iptables it seems this is no more possible, only few > values are permitted. > > For example: > > > iptables -t mangle -A PREROUTING -s 10.0.0.2 -j TOS --set-tos 0xb8 > > gives me: > > iptables v1.1.2:Bad TOS value ''0xb8'' > > Am I doing something wrong?Nope. Look into linux/ip.h as all the "legal" values are defined there and maintained there. I hacked on TOS to make the FTOS module available through the patch-o-matic. FTOS will allow you to set any value between 0-255 into the DSCP field. But it will not check if a value already exists. The syntax is: iptables -t mangle -A PREROUTING -s 10.0.0.2 -j FTOS --set-ftos 0xab If all you are looking to do is set the field to any value that will work - also works in the POSTROUTING chain for outgoing. Enjoy.> Thank you > Regards, > Giovanna Pavarani > > > > > > On Tue, Jan 23, 2001 at 01:59:00PM +0100, Tom Aernoudt wrote: > > > > > > Isn''t it possible with iptables to filter on DSCP field? > > > > Why don''t you ask this question on the iptables/netfilter mailinglist? > > > > Anyway, answer is: No. > > > > Not because the framework isn''t capable of that. Just because nobody > > implememnted a match yet. > > > > > Thanks, > > > Tom Aernoudt > > >-------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 Email: mgm@paktronix.com WWW: http://www.paktronix.com --------------------------------------------------