Request for a pointer - Linux modifying DSCP on replies?

Steve Miller stmille at
Mon Aug 17 16:44:11 CDT 2009

Would not the end station be considered to be outside of the DS
domain?  It does not necessarily make sense (to me) for reply packets
to be marked unless they are appropriate classified and marked on the
return path at the point they re-enter the DS domain.

I would imagine that iptables and the DSCP target would do what you
wanted, yes.  I'd consider classifying and marking traffic at whatever
switch you would consider to be at the edge of the DS domain
(connected to this server.)


2009/8/17 Darren Bolding <darren at>:
> I believe this is operational content, but may well be better asked
> somewhere else.  I would love to have a pointer to another list/website.
> I am looking to do some policy routing based on DSCP marking, and I have
> this all working inside the networking equipment.  I DSCP mark some packets
> at ingress and I policy-route others based on ACL's matching those DSCP
> markings.  This should allow me to solve some problems in a rather elegant
> manner, if I do say so myself.
> And this works fine for some things- I have verified that Ping's to a host
> work as expected- the Ping shows up at the destination host DSCP marked, and
> the ICMP reply leaves with the same DSCP marking.
> However, when I do this with apache and mysql connections (TCP 80/3306), the
> incoming packets are marked, but the replies are not.
> My research into the subject doesn't seem to suggest there is a standard for
> whether replies to a TCP connection are required to have the same DSCP
> marking, but it seems to make a lot of sense that they would.
> I've disabled iptables on the server host to no avail.  I've looked around
> for an apache or Linux kernel setting and found nothing.
> At this point I'm looking for pointers- to a way to solve this issue, or to
> a better place to ask.
> I've started investigating writing iptables rules to match incoming
> connections that have DSCP marking and explicitly mark response traffic, but
> that seems, I don't know... wrong.
> Linux kernel we are using is 2.6.9-67.ELsmp.
> Any help or pointers would be appreciated!
> --D
> --
> --  Darren Bolding                  --
> --  darren at           --

Steve Miller, CCIE #23977 (R&S), RHCE
Key fingerprint = 5CE3 A789 4CF5 666F 5CD6  2A8E 3132 77C7 483F 5F9D

More information about the NANOG mailing list