Request for a pointer - Linux modifying DSCP on replies?
Darren Bolding
darren at bolding.org
Mon Aug 17 21:19:34 UTC 2009
I believe this is operational content, but may well be better asked
somewhere else. I would love to have a pointer to another list/website.
I am looking to do some policy routing based on DSCP marking, and I have
this all working inside the networking equipment. I DSCP mark some packets
at ingress and I policy-route others based on ACL's matching those DSCP
markings. This should allow me to solve some problems in a rather elegant
manner, if I do say so myself.
And this works fine for some things- I have verified that Ping's to a host
work as expected- the Ping shows up at the destination host DSCP marked, and
the ICMP reply leaves with the same DSCP marking.
However, when I do this with apache and mysql connections (TCP 80/3306), the
incoming packets are marked, but the replies are not.
My research into the subject doesn't seem to suggest there is a standard for
whether replies to a TCP connection are required to have the same DSCP
marking, but it seems to make a lot of sense that they would.
I've disabled iptables on the server host to no avail. I've looked around
for an apache or Linux kernel setting and found nothing.
At this point I'm looking for pointers- to a way to solve this issue, or to
a better place to ask.
I've started investigating writing iptables rules to match incoming
connections that have DSCP marking and explicitly mark response traffic, but
that seems, I don't know... wrong.
Linux kernel we are using is 2.6.9-67.ELsmp.
Any help or pointers would be appreciated!
--D
--
-- Darren Bolding --
-- darren at bolding.org --
More information about the NANOG
mailing list