Request for a pointer - Linux modifying DSCP on replies?

James Hess mysidia at
Mon Aug 17 19:33:45 CDT 2009

On Mon, Aug 17, 2009 at 4:19 PM, Darren Bolding<darren at> wrote:
> the ICMP reply leaves with the same DSCP marking.
ICMPs may have special treatment.   This is the kernel replying, not a
user application.
> However, when I do this with apache and mysql connections (TCP 80/3306), the
> incoming packets are marked, but the replies are not.

I haven't known Linux to automatically apply DSCP markings.
Believe this operation may be by design.   Not everyone is likely to
want response traffic to have the same markings for all TCP protocols.

HTTP requests are often small request, big response.  People might
sometimes want low delay  for the request  but higher throughput for
HTTP responses (though higher delay  compared to other applications
sharing that bandwidth).

If an application developer wants a Linux computer to apply DSCP or TOS bits,
either, the application needs to elect to set ToS bits  using
setsockopt(),  SO_PRIORITY, and SO_TOS on the socket descriptor
itself...   the app must be running as superuser to do this

Or you may also be able to set the bits using iptables and the mangle table.

# iptables -t mangle -I OUTPUT -p tcp --sport 80  -j DSCP --set-dscp 0x1a

You may also be able to use a CONNMARK  iptables target to mark a connection ,
and then use the mangle table to set the DSCP field of OUTPUT packets
that match the connection mark.


More information about the NANOG mailing list