DSCP Tagging with iptables

Published 2013-11-01

Introduction

I tag traffic coming out of servers I control – simplifies the network guys' life since I manage configurations with puppet. Linux, iptables, and DSCP tagging is a bit of a crazy maker – one great reference is http://www.tucny.com/Home/dscp-tos.

One aspect D. Tucny doesn't mention is that if you set the class, iptables will print the hex value when you list the rules:

# iptables -t mangle -A OUTPUT -d 10.1.2.3/32 -j DSCP --set-dscp-class AF21
# iptables -t mangle -L -v
Chain OUTPUT (policy ACCEPT 8510K packets, 125G bytes)
 pkts bytes target  prot opt in   out  source    destination         
    0     0 DSCP    all  --  any  any  anywhere  foo.example.com  DSCP set 0x12

Adding a comment to help

I add a comment to the rule to help:

# iptables -t mangle -A OUTPUT -d 10.1.2.3/32 -j DSCP --set-dscp-class AF21 \
 -m comment \
 --comment "set dscp class to AF21 for destination host foo.example.com"

Since my rule creation is templatized via puppet, I get a lot of this for free. Helps debugging, let me tell ya…