# [solved] setting DSCP with iptables is not working

## lar82601

gentoo-kernel 2.6.31-gentoo-r6, 

iptables v1.4.3.2

x86_64 AMD Opteron(tm) Processor 852 AuthenticAMD

Kernel compiled to support DSCP and TOS target support, and Packet mangling etc.

I am trying to set DSCP class 'ef' on outgoing RTP voip udp packets. System is running asterisk. 

Even as root asterisk has not been able to set DSCP to anything other than default 0x00.

I have attempted to use iptables to do the same thing with the commands:

iptables -A OUTPUT -t mangle -p udp -m udp --sport 5060 -j DSCP --set-dscp-class ef

iptables -A OUTPUT -t mangle -p udp -m udp --sport 10000:20000 -j DSCP --set-dscp-class ef

iptables accepts the commands and after saving with '/etc/init.d/iptables save' the commands can be found in the rules-save file

 iptables -t mangle -nvL

---snip----

Chain OUTPUT (policy ACCEPT 7313 packets, 1432K bytes)

 pkts bytes target     prot opt in     out     source               destination

   13  8732 DSCP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:5060 DSCP set 0x2e

 3280  655K DSCP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:10000:20000 DSCP set 0x2e

Look like it's being matched --BUT---

Wireshark shows packets leaving the machine are still tagged DSCP 0x00, default

Any advice or further direction would be appreciated

Thanks in advanceLast edited by lar82601 on Wed Feb 17, 2010 6:27 pm; edited 1 time in total

----------

## massimo

Are you sure that the packets leaving the box are within the specified source port range? I even used your source ports (using netcat to generate some traffic) and using wireshark I can tell that the packets are marked appropriately. Did you use wireshark on the source system?

----------

## lar82601

Sorry for not updating post!

After a good deal of testing it was determined that the switch (cisco 3550)  the box was connected to was removing the tag before wireshark could get to it. A new IOS and adding 'mls qos trust dscp' to the interface eliminated the problem.

Thank you for your efforts.

----------

