I can use DSMARK to mark on the Egress side. Is there a way to mark/change the DSCP value of an incoming packet on the ingress side? Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7
Hi Jon, You can use iptables to mark/change the DSCP value of an incoming packet on the ingress side. An example is below (where $in_dev can be whatever your input interface is): ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP --set-dscp-class BE Basically the above example (re)marks all www traffic (meant to be forwarded through this node) entering via $in_dev to BE. There is a decent (IMO) manpage for iptables (there are too many permutations/combinations of options to list here).> -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > On Behalf Of Flechsenhaar, Jon J > Sent: Monday, August 06, 2007 7:08 PM > To: LARTC@mailman.ds9a.nl > Subject: [LARTC] Marking and remarking of incoming traffic > > I can use DSMARK to mark on the Egress side. Is there a way to > mark/change the DSCP value of an incoming packet on the ingress side? > Thanks. > > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
It looks like some support for this command is not functioning correctly. --set-dscp value Set DSCP field in packet header to value This value can be in decimal (ex: 32) or in hex (ex: 0x20) --set-dscp-class class Set the DSCP field in packet header to the value represented by the DiffServ class value. This class may be EF,BE or any of the CSxx or AFxx classes. Am I typing something wrong here? 1.) // This works fine iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class AF31 2.) //This doesn''t work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp 0x20 ERROR: iptables: Bad rule (does a matching rule exist in that chain?) // There is no existing rule iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range 192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above ERROR: iptables v1.3.5: DSCP `104` out of range // it looks like I should be able to use hex values but it doesn''t seem to work 3.) //doesn''t work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class CSxx // I can''t seem to figure out what should go after the Class Selector "CS" Any help on this issue would be appreciated. Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Tim Enos [mailto:tenos@ll.mit.edu] Sent: Tuesday, August 07, 2007 7:34 AM To: Flechsenhaar, Jon J Subject: RE: [LARTC] Marking and remarking of incoming traffic It has convenient keywords (hence the --set-dscp-class option) and individual DSCP values that can be set (if memory serves me, they can be set in either hex or decimal). It might be useful (for the connection-oriented traffic anyhow) to (re)mark traffic based upon the setting of the ECN bits. In any case, I too was glad to see DSCP could be specified (especially since ceteris paribus the DSCP markings of traffic coming into a DS domain are not trusted by it).> -----Original Message----- > From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@boeing.com] > Sent: Monday, August 06, 2007 8:01 PM > To: Tim Enos > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Thanks. I saw that command but I was looking at the TOS parameters. > Didn''t realize that there were also DSCP values. > > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > -----Original Message----- > From: Tim Enos [mailto:tenos@ll.mit.edu] > Sent: Monday, August 06, 2007 4:42 PM > To: LARTC@mailman.ds9a.nl > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Hi Jon, > > You can use iptables to mark/change the DSCP value of an incoming > packet on the ingress side. An example is below (where $in_dev can be > whatever your input interface is): > > ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP > --set-dscp-class BE > > Basically the above example (re)marks all www traffic (meant to be > forwarded through this node) entering via $in_dev to BE. > > There is a decent (IMO) manpage for iptables (there are too many > permutations/combinations of options to list here). > > > -----Original Message----- > > From: lartc-bounces@mailman.ds9a.nl > > [mailto:lartc-bounces@mailman.ds9a.nl] > > On Behalf Of Flechsenhaar, Jon J > > Sent: Monday, August 06, 2007 7:08 PM > > To: LARTC@mailman.ds9a.nl > > Subject: [LARTC] Marking and remarking of incoming traffic > > > > I can use DSMARK to mark on the Egress side. Is there a way to > > mark/change the DSCP value of an incoming packet on the ingressside?> > Thanks. > > > > > > Jon Flechsenhaar > > Boeing WNW Team > > Network Services > > (714)-762-1231 > > 202-E7 > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
UPDATE: iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class CS20 I GOT THIS TO WORK. 10=0x20 20=0x40 30=0x60 40=0x80 50=0xa0 60=0xc0 70=0xe0 I still can''t enter a DSCP hex value though. Just the equivalent word value. So AF31 works but 0x68 doesn''t. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Flechsenhaar, Jon J Sent: Thursday, August 09, 2007 10:16 AM To: LARTC@mailman.ds9a.nl Subject: RE: [LARTC] Marking and remarking of incoming traffic It looks like some support for this command is not functioning correctly. --set-dscp value Set DSCP field in packet header to value This value can be in decimal (ex: 32) or in hex (ex: 0x20) --set-dscp-class class Set the DSCP field in packet header to the value represented by the DiffServ class value. This class may be EF,BE or any of the CSxx or AFxx classes. Am I typing something wrong here? 1.) // This works fine iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class AF31 2.) //This doesn''t work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp 0x20 ERROR: iptables: Bad rule (does a matching rule exist in that chain?) // There is no existing rule iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range 192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above ERROR: iptables v1.3.5: DSCP `104` out of range // it looks like I should be able to use hex values but it doesn''t seem to work 3.) //doesn''t work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class CSxx // I can''t seem to figure out what should go after the Class Selector "CS" Any help on this issue would be appreciated. Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Tim Enos [mailto:tenos@ll.mit.edu] Sent: Tuesday, August 07, 2007 7:34 AM To: Flechsenhaar, Jon J Subject: RE: [LARTC] Marking and remarking of incoming traffic It has convenient keywords (hence the --set-dscp-class option) and individual DSCP values that can be set (if memory serves me, they can be set in either hex or decimal). It might be useful (for the connection-oriented traffic anyhow) to (re)mark traffic based upon the setting of the ECN bits. In any case, I too was glad to see DSCP could be specified (especially since ceteris paribus the DSCP markings of traffic coming into a DS domain are not trusted by it).> -----Original Message----- > From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@boeing.com] > Sent: Monday, August 06, 2007 8:01 PM > To: Tim Enos > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Thanks. I saw that command but I was looking at the TOS parameters. > Didn''t realize that there were also DSCP values. > > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > -----Original Message----- > From: Tim Enos [mailto:tenos@ll.mit.edu] > Sent: Monday, August 06, 2007 4:42 PM > To: LARTC@mailman.ds9a.nl > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Hi Jon, > > You can use iptables to mark/change the DSCP value of an incoming > packet on the ingress side. An example is below (where $in_dev can be > whatever your input interface is): > > ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP > --set-dscp-class BE > > Basically the above example (re)marks all www traffic (meant to be > forwarded through this node) entering via $in_dev to BE. > > There is a decent (IMO) manpage for iptables (there are too many > permutations/combinations of options to list here). > > > -----Original Message----- > > From: lartc-bounces@mailman.ds9a.nl > > [mailto:lartc-bounces@mailman.ds9a.nl] > > On Behalf Of Flechsenhaar, Jon J > > Sent: Monday, August 06, 2007 7:08 PM > > To: LARTC@mailman.ds9a.nl > > Subject: [LARTC] Marking and remarking of incoming traffic > > > > I can use DSMARK to mark on the Egress side. Is there a way to > > mark/change the DSCP value of an incoming packet on the ingressside?> > Thanks. > > > > > > Jon Flechsenhaar > > Boeing WNW Team > > Network Services > > (714)-762-1231 > > 202-E7 > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi Jon, Please see (hopefully correct and useful) comments in-line:> -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > On Behalf Of Flechsenhaar, Jon J > Sent: Thursday, August 09, 2007 1:16 PM > To: LARTC@mailman.ds9a.nl > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > It looks like some support for this command is not functioning > correctly. > > --set-dscp value Set DSCP field in packet header to value > This value can be in decimal (ex: 32) > or in hex (ex: 0x20) > --set-dscp-class class Set the DSCP field in packet header to > the > value represented by the DiffServ class > value. > This class may be EF,BE or any of the > CSxx or AFxx classes. > > Am I typing something wrong here? > 1.) > // This works fine > iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j > DSCP --set-dscp-class AF31 > > 2.) > //This doesn''t work > iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j > DSCP --set-dscp 0x20 > ERROR: iptables: Bad rule (does a matching rule exist in that chain?) > // There is no existing rule > iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range > 192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above > ERROR: iptables v1.3.5: DSCP `104` out of range > // it looks like I should be able to use hex values but it doesn''t seem > to workDon''t consider the ECN bits when doing this calculation. AF31 looks like this: 011 010. In hex that would be 0x1a, as it is 26 in decimal notation. See RFC 2597, section 6, and the iptables man page which (at least in my case) includes text such as: " dscp This module matches the 6 bit DSCP field within the TOS field in the IP header. DSCP has superseded TOS within the IETF. --dscp value Match against a numeric (decimal or hex) value [0-32]."> > 3.) > //doesn''t work > iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j > DSCP --set-dscp-class CSxx > // I can''t seem to figure out what should go after the Class Selector > "CS"CS3 would probably be the best value to use if you''re looking for the functional equivalent of AF31. Class Selector PHBs are meant to provide backwards-compatibility with ToS. There are eight possible values (CS0-CS7). RFC 2474 and the IANA registry http://www.iana.org/assignments/dscp-registry are good resources for this.> > Any help on this issue would be appreciated. Thanks. > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > -----Original Message----- > From: Tim Enos [mailto:tenos@ll.mit.edu] > Sent: Tuesday, August 07, 2007 7:34 AM > To: Flechsenhaar, Jon J > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > It has convenient keywords (hence the --set-dscp-class option) and > individual DSCP values that can be set (if memory serves me, they can be > set in either hex or decimal). > > It might be useful (for the connection-oriented traffic anyhow) to > (re)mark traffic based upon the setting of the ECN bits. In any case, I > too was glad to see DSCP could be specified (especially since ceteris > paribus the DSCP markings of traffic coming into a DS domain are not > trusted by it). > > > -----Original Message----- > > From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@boeing.com] > > Sent: Monday, August 06, 2007 8:01 PM > > To: Tim Enos > > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > > > Thanks. I saw that command but I was looking at the TOS parameters. > > Didn''t realize that there were also DSCP values. > > > > > > Jon Flechsenhaar > > Boeing WNW Team > > Network Services > > (714)-762-1231 > > 202-E7 > > > > -----Original Message----- > > From: Tim Enos [mailto:tenos@ll.mit.edu] > > Sent: Monday, August 06, 2007 4:42 PM > > To: LARTC@mailman.ds9a.nl > > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > > > Hi Jon, > > > > You can use iptables to mark/change the DSCP value of an incoming > > packet on the ingress side. An example is below (where $in_dev can be > > whatever your input interface is): > > > > ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP > > --set-dscp-class BE > > > > Basically the above example (re)marks all www traffic (meant to be > > forwarded through this node) entering via $in_dev to BE. > > > > There is a decent (IMO) manpage for iptables (there are too many > > permutations/combinations of options to list here). > > > > > -----Original Message----- > > > From: lartc-bounces@mailman.ds9a.nl > > > [mailto:lartc-bounces@mailman.ds9a.nl] > > > On Behalf Of Flechsenhaar, Jon J > > > Sent: Monday, August 06, 2007 7:08 PM > > > To: LARTC@mailman.ds9a.nl > > > Subject: [LARTC] Marking and remarking of incoming traffic > > > > > > I can use DSMARK to mark on the Egress side. Is there a way to > > > mark/change the DSCP value of an incoming packet on the ingress > side? > > > Thanks. > > > > > > > > > Jon Flechsenhaar > > > Boeing WNW Team > > > Network Services > > > (714)-762-1231 > > > 202-E7 > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc