DSCP Tagging with iptables
Introduction
I tag traffic coming out of servers I control – simplifies the network guys' life since I manage configurations with puppet. Linux, iptables
, and DSCP tagging is a bit of a crazy maker – one great reference is http://www.tucny.com/Home/dscp-tos.
One aspect D. Tucny doesn't mention is that if you set the class, iptables
will print the hex value when you list the rules:
# iptables -t mangle -A OUTPUT -d 10.1.2.3/32 -j DSCP --set-dscp-class AF21 # iptables -t mangle -L -v Chain OUTPUT (policy ACCEPT 8510K packets, 125G bytes) pkts bytes target prot opt in out source destination 0 0 DSCP all -- any any anywhere foo.example.com DSCP set 0x12
Adding a comment to help
I add a comment to the rule to help:
# iptables -t mangle -A OUTPUT -d 10.1.2.3/32 -j DSCP --set-dscp-class AF21 \ -m comment \ --comment "set dscp class to AF21 for destination host foo.example.com"
Since my rule creation is templatized via puppet, I get a lot of this for free. Helps debugging, let me tell ya…