From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bill Chappell Subject: Re: Question about -m tos option Date: Tue, 14 Oct 2003 22:38:01 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F8CB309.A4713C61@critical.com> References: <000801c39183$9a3fed90$2d0410d4@urbannet6ku735> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org > "Pavel V. Chjen" wrote: > > 0x60 is out of valid range in dscp matching (: > [root@root linux]# iptables -A FORWARD -m dscp --dscp 0x60 > iptables v1.2.9rc1: DSCP `96` out of range You only have 6 bits of the 8 bits in the ToS to work with for DSCP, (http://www.cisco.com/warp/public/105/dscpvalues.html#dscpandassuredforwardingclasses) and valid values are explicitly 0 through 63 (decimal) (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_r/qrfcmd4.htm#1098678). Your rule used 60(hex), which is 96(decimal) as the error message reported. I got these references, and more, to confirm what I thought I knew about DSCP by asking Google for DSCP and DSCP+size, if that helps for the future. (www.google.com) I hope this helps and that you really do not need 96 different values for the DSCP. Bill -- William Chappell, Software Engineer, Critical Technologies, Inc. Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501 315-793-0248 x148 < bill.chappell@critical.com > www.critical.com