I am using 2.4.18 kernel + iptables v1.2.7a .
After trying iptables -m dscp it replies "No match by that name"
Is the problem in my iptables version , ore the kernel must be preconfigured ?
Thanks for help

I've never heard of the 'dscp' match extension. Take a look at 'man iptables' under the 'MATCH EXTENSIONS' section for a list a valid match extensions.

I don't think that module exists, what are you trying to do?

Joe

dscp
This module matches the 6 bit DSCP field within the TOS field in the IP
header. DSCP has superseded TOS within the IETF.

--dscp value
Match against a numeric (decimal or hex) value [0-32].

--dscp-class DiffServ Class
Match the DiffServ class. This value may be any of the BE, EF,
AFxx or CSx classes. It will then be converted into it's
according numeric value.

directly copied from man iptables ))

May be I have to be more concrete .
I'm trying to filter packets in case of values of the prec bits in the ToS field of the header . My Linux is a forwarder&firewall and I am using only iptables rules for making decisions .

Then that's very new, I'm using version 1.2.5 (the difference between .5 and .7 is at patch level) and that specification can't be found in the man pages. Perhaps because you're using version "a" it has that extra function, I don't know. But it looks like it's brand new so I don't think you'll find too many people who will know what you're talking about.

Joe

I'm in the same boat, iptables v1.2.5 doesn't have support for this Match Extension. Sorry to be so quick to tell you to RTFM, but I'd never heard of this one before.

To get DSCP working with netfilter/ iptables v1.2.7a on a Redhat 9.0 system.

1) as root
'insmod ipt_dscp'

I still got the following error ------
iptables -A ETH1_OUTPUT_PROTOCOLS -s 0/0 -m dscp-class af1
iptables v1.2.7a: Couldn't load match `dscp-class':/lib/iptables/libipt_dscp-class.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
------------------------------------------------------

Needless to say the "help" was of no help.

Next, I tried to look a the library to see what it expected
strings /lib/iptables/libipt_dscp.so | more

Based upon it's output, I tried the following and it seemed to take. I will get to testing it later today to make sure it actually marks the packets. Here is how it was done.

2) Set up a quick test
'iptables -A OUTPUT -s 0/0 -m dscp --dscp-class AF11'

Note the 2 instances of dscp in the command line '-m dscp --dscp-class'

I hope this helps, In the past I have received alot of on-line help from news groups and message boards. I am glad to give back a little.
Kevin

------------------------------------------------------------------
I have an error above. That rule is setup to match a particular DSCP, not mark it. I am still attempting to figure out how to mark code points usinf iptables.

I tried the following rule after another insmod -- ' insmod ipt_DSCP'. I still get an error.

iptables -t mangle -A ETH2_OUTPUT -p icmp -o eth2 -j DSCP --set-dscp-class af11
iptables: No chain/target/match by that name

Any help would be.... helpful.
Thanks,
Kevin

Hi Kevin , Hi All ,
Actually I killed my problem before , upgrading to 2.4.20 and iptables 1.2.8 and compiling it as modules to kernel .
Now everything is working fine , I did'n know what was my mistake .

Hope that post will be usefull for others .

Rgrds
Brabard

Found my problem. I was attempting to mangle a user defined chain. I guess you can't do that. The following worked. Note: I switched from using th eETH2_OUTPUT chain to the OUTPUT chain. I measured the paskets and they get the assigned diffserv code point.

iptables -t mangle -A OUTPUT -o eth2 -j DSCP --set-dscp-class af11

Thanks,
Kevin