Hello all,
I''d like to use DSCP marking on incoming packets and since
I''m using Shorewall, I thought of making an addition. I must say I
haven''t tried DSCP marking yet, but it looks supported by Netfilter
using a dedicated DCSP target since quite some time.
eg.:
iptables -t mangle -A FORWARD -p tcp --dport 80 -j DSCP --set-dscp 1
So, in order to size the task at hand I thought about asking here if anyone
has already tried adding DSCP before and if so, what was the experience ? Or
any other background information on marking packets in such a way.
Thanks for any suggestion/hint/info.
__________________________________________________________________
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot
with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail
today or register for free at http://mail.yahoo.ca
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
On Mon, Apr 27, 2009 at 10:32:05AM -0700, Fred Picher wrote:> I''d like to use DSCP marking on incoming packets and since I''m using Shorewall, I thought of making an addition. I must say I haven''t tried DSCP marking yet, but it looks supported by Netfilter using a dedicated DCSP target since quite some time. > > eg.: > > iptables -t mangle -A FORWARD -p tcp --dport 80 -j DSCP --set-dscp 1 > > So, in order to size the task at hand I thought about asking here if anyone has already tried adding DSCP before and if so, what was the experience ? Or any other background information on marking packets in such a way. > > Thanks for any suggestion/hint/info.We were about to try and add the same thing here. We haven''t looked into where in shorewall it would fit yet. I figure being able to make rules that mark the DSCP/tos field on incoming packets before any tc rules are applied, as well as marking outbound packets based on how tc rules marked the packets would both be useful. -- Len Sorensen ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Lennart Sorensen wrote:> On Mon, Apr 27, 2009 at 10:32:05AM -0700, Fred Picher wrote: >> I''d like to use DSCP marking on incoming packets and since I''m using Shorewall, I thought of making an addition. I must say I haven''t tried DSCP marking yet, but it looks supported by Netfilter using a dedicated DCSP target since quite some time. >> >> eg.: >> >> iptables -t mangle -A FORWARD -p tcp --dport 80 -j DSCP --set-dscp 1 >> >> So, in order to size the task at hand I thought about asking here if anyone has already tried adding DSCP before and if so, what was the experience ? Or any other background information on marking packets in such a way. >> >> Thanks for any suggestion/hint/info. > > We were about to try and add the same thing here. We haven''t looked > into where in shorewall it would fit yet. > > I figure being able to make rules that mark the DSCP/tos field on incoming > packets before any tc rules are applied, as well as marking outbound > packets based on how tc rules marked the packets would both be useful. >I think that the logical approach is to clone the current /etc/shorewall/tos file handling (or modify it to set the entire DSCP field rather than just the TOS). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
On Mon, Apr 27, 2009 at 11:41:19AM -0700, Tom Eastep wrote:> I think that the logical approach is to clone the current > /etc/shorewall/tos file handling (or modify it to set the entire DSCP > field rather than just the TOS).As part of this, would this addition be useful for shorewall 4.3.x: Adds support for matching in tcrules on dscp marks using -m dscp target of iptables. Against latest git (also fixed a typo from when i sent the tos patch for shorewall-perl quite a while ago in the comment of do_tos). After all tcclasses already supports arbitrary tos byte values, while tcrules only supports the 5 fixed tos values. Adding a new column to the end of tcrules for dscp target matching should be fully backwards compatible with existing configs (even though having it next to TOS would have been nice, but not worth it). dscp can either be the numerical value (0-32 I believe), or a diffserv name (CS0-CS7, BE, AF[1-4][1-3], EF). Does this look acceptable? Adding a mangle target for dscp is going to be a bit more work of course. I did NOT test this patch. I have a variant against 4.0.15 which I tested and it nicely creates rules in iptables. It is almost the same though just varying due to the differences between 4.0 and the git tree. diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 95e4725..8857e71 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -133,6 +133,7 @@ our %EXPORT_TAGS = ( do_tos do_connbytes do_helper + do_dscp match_source_dev match_dest_dev iprange_match @@ -1740,7 +1741,16 @@ sub do_helper( $ ) { } # -# Create a "-m length" match for the passed TOS +# Create a "-m dscp" match for the passed DSCP +# +sub do_dscp( $ ) { + my $dscp = $_[0]; + + $dscp ne ''-'' ? ( $dscp =~ /^[ABCE]/ ? "-m dscp --dscp-class $dscp " : "-m dscp --dscp $dscp ") : ''''; +} + +# +# Create a "-m length" match for the passed LENGTH # sub do_length( $ ) { my $length = $_[0]; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 4923bb2..77c06b5 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -220,7 +220,7 @@ INIT { } sub process_tc_rule( ) { - my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, ''tcrules file''; + my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper, $dscp ) = split_line1 2, 13, ''tcrules file''; if ( $originalmark eq ''COMMENT'' ) { process_comment; @@ -386,7 +386,8 @@ sub process_tc_rule( ) { do_length( $length ) . do_tos( $tos ) . do_connbytes( $connbytes ) . - do_helper( $helper ), + do_helper( $helper ) . + do_dscp( $dscp ), $source , $dest , '''' , -- Len Sorensen ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Just a resend of this. I would still find this useful. Any thoughts on it? -- Len Sorensen On Thu, May 07, 2009 at 04:40:48PM -0400, Lennart Sorensen wrote:> On Mon, Apr 27, 2009 at 11:41:19AM -0700, Tom Eastep wrote: > > I think that the logical approach is to clone the current > > /etc/shorewall/tos file handling (or modify it to set the entire DSCP > > field rather than just the TOS). > > As part of this, would this addition be useful for shorewall 4.3.x: > > Adds support for matching in tcrules on dscp marks using -m dscp target > of iptables. Against latest git (also fixed a typo from when i sent the > tos patch for shorewall-perl quite a while ago in the comment of do_tos). > > After all tcclasses already supports arbitrary tos byte values, while > tcrules only supports the 5 fixed tos values. Adding a new column to > the end of tcrules for dscp target matching should be fully backwards > compatible with existing configs (even though having it next to TOS > would have been nice, but not worth it). > > dscp can either be the numerical value (0-32 I believe), or a diffserv > name (CS0-CS7, BE, AF[1-4][1-3], EF). > > Does this look acceptable? Adding a mangle target for dscp is going to > be a bit more work of course. > > I did NOT test this patch. I have a variant against 4.0.15 which I > tested and it nicely creates rules in iptables. It is almost the same > though just varying due to the differences between 4.0 and the git tree. > > diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm > index 95e4725..8857e71 100644 > --- a/Shorewall/Perl/Shorewall/Chains.pm > +++ b/Shorewall/Perl/Shorewall/Chains.pm > @@ -133,6 +133,7 @@ our %EXPORT_TAGS = ( > do_tos > do_connbytes > do_helper > + do_dscp > match_source_dev > match_dest_dev > iprange_match > @@ -1740,7 +1741,16 @@ sub do_helper( $ ) { > } > > # > -# Create a "-m length" match for the passed TOS > +# Create a "-m dscp" match for the passed DSCP > +# > +sub do_dscp( $ ) { > + my $dscp = $_[0]; > + > + $dscp ne ''-'' ? ( $dscp =~ /^[ABCE]/ ? "-m dscp --dscp-class $dscp " : "-m dscp --dscp $dscp ") : ''''; > +} > + > +# > +# Create a "-m length" match for the passed LENGTH > # > sub do_length( $ ) { > my $length = $_[0]; > diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm > index 4923bb2..77c06b5 100644 > --- a/Shorewall/Perl/Shorewall/Tc.pm > +++ b/Shorewall/Perl/Shorewall/Tc.pm > @@ -220,7 +220,7 @@ INIT { > } > > sub process_tc_rule( ) { > - my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, ''tcrules file''; > + my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper, $dscp ) = split_line1 2, 13, ''tcrules file''; > > if ( $originalmark eq ''COMMENT'' ) { > process_comment; > @@ -386,7 +386,8 @@ sub process_tc_rule( ) { > do_length( $length ) . > do_tos( $tos ) . > do_connbytes( $connbytes ) . > - do_helper( $helper ), > + do_helper( $helper ) . > + do_dscp( $dscp ), > $source , > $dest , > '''' , > > -- > Len Sorensen > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you''ll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-devel------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Lennart Sorensen wrote:> > After all tcclasses already supports arbitrary tos byte values, while > tcrules only supports the 5 fixed tos values.That is completely untrue. The TOS column can contain a <numeric-value>[/<mask>] just as the tcclasses file can. The optional <mask> is currently undocumentated, unfortunately.> Adding a new column to > the end of tcrules for dscp target matching should be fully backwards > compatible with existing configs (even though having it next to TOS > would have been nice, but not worth it). > > dscp can either be the numerical value (0-32 I believe), or a diffserv > name (CS0-CS7, BE, AF[1-4][1-3], EF). > > Does this look acceptable? Adding a mangle target for dscp is going to > be a bit more work of course. > > I did NOT test this patch. I have a variant against 4.0.15 which I > tested and it nicely creates rules in iptables. It is almost the same > though just varying due to the differences between 4.0 and the git tree.The problem with patches like this that only worry about the code is that they are incomplete. - The patch doesn''t update Shorewall/configfiles/tcrules - The patch doesn''t update manpages/shorewall-tcrules.xml - The patch doesn''t update manpages6/shorewall6-tcrules.xml - The patch doesn''t update docs/traffic_shaping.xml So when I get a patch like this, I''m not very enthusiastic to merge it right into my tree. Especially this one which largely duplicates a function that is already available (given that the DSCP field is a sub-field of the TOS byte). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Tom Eastep wrote:> Lennart Sorensen wrote: > >> After all tcclasses already supports arbitrary tos byte values, while >> tcrules only supports the 5 fixed tos values. > > That is completely untrue. The TOS column can contain a > <numeric-value>[/<mask>] just as the tcclasses file can. The optional > <mask> is currently undocumentated, unfortunately. > >> Adding a new column to >> the end of tcrules for dscp target matching should be fully backwards >> compatible with existing configs (even though having it next to TOS >> would have been nice, but not worth it). >> >> dscp can either be the numerical value (0-32 I believe), or a diffserv >> name (CS0-CS7, BE, AF[1-4][1-3], EF). >> >> Does this look acceptable? Adding a mangle target for dscp is going to >> be a bit more work of course. >> >> I did NOT test this patch. I have a variant against 4.0.15 which I >> tested and it nicely creates rules in iptables. It is almost the same >> though just varying due to the differences between 4.0 and the git tree. > > The problem with patches like this that only worry about the code is > that they are incomplete. > > - The patch doesn''t update Shorewall/configfiles/tcrules > - The patch doesn''t update manpages/shorewall-tcrules.xml > - The patch doesn''t update manpages6/shorewall6-tcrules.xml > - The patch doesn''t update docs/traffic_shaping.xml > > So when I get a patch like this, I''m not very enthusiastic to merge it > right into my tree. Especially this one which largely duplicates a > function that is already available (given that the DSCP field is a > sub-field of the TOS byte).I''ve taken a look at this and it appears to me that specifying both DSCP and TOS in a single rule is pointless. So I''ve put together a change the lets a single TOS column handle both. It will be included in Beta 3. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
On Mon, Jun 22, 2009 at 11:45:20AM -0700, Tom Eastep wrote:> That is completely untrue. The TOS column can contain a > <numeric-value>[/<mask>] just as the tcclasses file can. The optional > <mask> is currently undocumentated, unfortunately.Well iptables does NOT accept --tos with anything other than the 5 standard values. --dscp does.> The problem with patches like this that only worry about the code is > that they are incomplete. > > - The patch doesn''t update Shorewall/configfiles/tcrules > - The patch doesn''t update manpages/shorewall-tcrules.xml > - The patch doesn''t update manpages6/shorewall6-tcrules.xml > - The patch doesn''t update docs/traffic_shaping.xmlI was asking more for input on wether it seemed useful. Since I got no reply, I didn''t think much about it for a while. It seemed useful to me given --tos doesn''t do what I thought it would based on the shorewall documentation.> So when I get a patch like this, I''m not very enthusiastic to merge it > right into my tree. Especially this one which largely duplicates a > function that is already available (given that the DSCP field is a > sub-field of the TOS byte).Well what version of iptables do you use because mine certainly does not accept arbitrary tos values (it does in the tcclasses but not tcrules). -- Len Sorensen ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
On Mon, Jun 22, 2009 at 12:31:57PM -0700, Tom Eastep wrote:> Tom Eastep wrote: > > Lennart Sorensen wrote: > > > >> After all tcclasses already supports arbitrary tos byte values, while > >> tcrules only supports the 5 fixed tos values. > > > > That is completely untrue. The TOS column can contain a > > <numeric-value>[/<mask>] just as the tcclasses file can. The optional > > <mask> is currently undocumentated, unfortunately. > > > >> Adding a new column to > >> the end of tcrules for dscp target matching should be fully backwards > >> compatible with existing configs (even though having it next to TOS > >> would have been nice, but not worth it). > >> > >> dscp can either be the numerical value (0-32 I believe), or a diffserv > >> name (CS0-CS7, BE, AF[1-4][1-3], EF). > >> > >> Does this look acceptable? Adding a mangle target for dscp is going to > >> be a bit more work of course. > >> > >> I did NOT test this patch. I have a variant against 4.0.15 which I > >> tested and it nicely creates rules in iptables. It is almost the same > >> though just varying due to the differences between 4.0 and the git tree. > > > > The problem with patches like this that only worry about the code is > > that they are incomplete. > > > > - The patch doesn''t update Shorewall/configfiles/tcrules > > - The patch doesn''t update manpages/shorewall-tcrules.xml > > - The patch doesn''t update manpages6/shorewall6-tcrules.xml > > - The patch doesn''t update docs/traffic_shaping.xml > > > > So when I get a patch like this, I''m not very enthusiastic to merge it > > right into my tree. Especially this one which largely duplicates a > > function that is already available (given that the DSCP field is a > > sub-field of the TOS byte). > > I''ve taken a look at this and it appears to me that specifying both DSCP > and TOS in a single rule is pointless. So I''ve put together a change the > lets a single TOS column handle both. It will be included in Beta 3.Well that sounds like a nice way to do it. I agree specifying both is actually rather stupid. I still can''t figure out why iptables accepts hex values for --tos when it seems to object to anything other than the standard 5 values). Maybe I have too old an iptables or 2.6.26 is too old a kernel. -- Len Sorensen ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Lennart Sorensen wrote:> > Well what version of iptables do you use because mine certainly does not > accept arbitrary tos values (it does in the tcclasses but not tcrules). >gateway:~# iptables -m tos -h iptables v1.4.3.2 ... tos match options: [!] --tos value[/mask] Match Type of Service/Priority field value [!] --tos symbol Match TOS field (IPv4 only) by symbol Accepted symbolic names for value are: (0x10) 16 Minimize-Delay (0x08) 8 Maximize-Throughput (0x04) 4 Maximize-Reliability (0x02) 2 Minimize-Cost (0x00) 0 Normal-Service -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Lennart Sorensen wrote:> I still can''t figure out why iptables accepts hex values for --tos when > it seems to object to anything other than the standard 5 values). > Maybe I have too old an iptables or 2.6.26 is too old a kernel. >gateway:~# iptables -t mangle -N foo gateway:~# iptables -t mangle -A foo -m tos --tos 0x14/0x1c gateway:~# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Tom Eastep wrote:> Lennart Sorensen wrote: > >> I still can''t figure out why iptables accepts hex values for --tos when >> it seems to object to anything other than the standard 5 values). >> Maybe I have too old an iptables or 2.6.26 is too old a kernel. >> > > gateway:~# iptables -t mangle -N foo > gateway:~# iptables -t mangle -A foo -m tos --tos 0x14/0x1c > gateway:~#gateway:~# uname -a Linux gateway 2.6.26-2-amd64 #1 SMP Thu May 28 21:28:49 UTC 2009 x86_64 GNU/Linux gateway:~# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
On Mon, Jun 22, 2009 at 02:38:50PM -0700, Tom Eastep wrote:> Lennart Sorensen wrote: > > > I still can''t figure out why iptables accepts hex values for --tos when > > it seems to object to anything other than the standard 5 values). > > Maybe I have too old an iptables or 2.6.26 is too old a kernel. > > > > gateway:~# iptables -t mangle -N foo > gateway:~# iptables -t mangle -A foo -m tos --tos 0x14/0x1c > gateway:~## iptables -t mangle -A foo -m tos --tos 0x14/0x1c iptables v1.3.6: Bad TOS value `0x14/0x1c'' Try `iptables -h'' or ''iptables --help'' for more information. So which version of iptables do I need to actually get decent tos support? 1.4.x maybe? Of course --dscp nicely supports the dscp named classes, which is rather nice. -- Len Sorensen ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
On Mon, Jun 22, 2009 at 02:36:55PM -0700, Tom Eastep wrote:> Lennart Sorensen wrote: > > > > > Well what version of iptables do you use because mine certainly does not > > accept arbitrary tos values (it does in the tcclasses but not tcrules). > > > > gateway:~# iptables -m tos -h > iptables v1.4.3.2Well that''s a lot newer than 1.3.6 that I am using. That''s probably the problem I am having then.> tos match options: > [!] --tos value[/mask] Match Type of Service/Priority field value > [!] --tos symbol Match TOS field (IPv4 only) by symbol > Accepted symbolic names for value are: > (0x10) 16 Minimize-Delay > (0x08) 8 Maximize-Throughput > (0x04) 4 Maximize-Reliability > (0x02) 2 Minimize-Cost > (0x00) 0 Normal-Service-- Len Sorensen ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Lennart Sorensen wrote:> On Mon, Jun 22, 2009 at 02:38:50PM -0700, Tom Eastep wrote: >> Lennart Sorensen wrote: >> >>> I still can''t figure out why iptables accepts hex values for --tos when >>> it seems to object to anything other than the standard 5 values). >>> Maybe I have too old an iptables or 2.6.26 is too old a kernel. >>> >> gateway:~# iptables -t mangle -N foo >> gateway:~# iptables -t mangle -A foo -m tos --tos 0x14/0x1c >> gateway:~# > > # iptables -t mangle -A foo -m tos --tos 0x14/0x1c > iptables v1.3.6: Bad TOS value `0x14/0x1c'' > Try `iptables -h'' or ''iptables --help'' for more information. > > So which version of iptables do I need to actually get decent tos support? > 1.4.x maybe?I don''t know -- I don''t maintain iptables. I can tell you that 1.4.1.1 includes that support; that''s the oldest version that I have access to at the moment. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
Tom Eastep wrote:> Lennart Sorensen wrote:>> So which version of iptables do I need to actually get decent tos support? >> 1.4.x maybe? > > I don''t know -- I don''t maintain iptables. I can tell you that 1.4.1.1 > includes that support; that''s the oldest version that I have access to > at the moment.Just remembered that I have an older system -- it is running 1.4.0 which does *not* have full tos match support. So it must have been released in 1.4.1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
On Tue, Jun 23, 2009 at 07:43:23AM -0700, Tom Eastep wrote:> Just remembered that I have an older system -- it is running 1.4.0 which > does *not* have full tos match support. So it must have been released in > 1.4.1.iptables doesn''t make it easy to figure out when they add features, and making a change like that between 1.4.0 and 1.4.1 just seems weird. Oh well, I guess it''s time to consider an upgrade of iptables then. I would still love to see support for dscp class names in the tos column though. -- Len Sorensen ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org