Книга: Iptables Tutorial 1.2.2
TOS target
TOS target
The TOS target is used to set the Type of Service field within the IP header. The TOS field consists of 8 bits which are used to help in routing packets. This is one of the fields that can be used directly within iproute2 and its subsystem for routing policies. Worth noting, is that if you handle several separate firewalls and routers, this is the only way to propagate routing information within the actual packet between these routers and firewalls. As previously noted, the MARK target - which sets a MARK associated with a specific packet - is only available within the kernel, and can't be propagated with the packet. If you feel a need to propagate routing information for a specific packet or stream, you should therefore set the TOS field, which was developed for this.
There are currently a lot of routers on the Internet which do a pretty bad job at this, so as of now it may prove to be a bit useless to attempt TOS mangling before sending the packets on to the Internet. At best the routers will not pay any attention to the TOS field. At worst, they will look at the TOS field and do the wrong thing. However, as stated above, the TOS field can most definitely be put to good use if you have a large WAN or LAN with multiple routers. You then in fact have the possibility of giving packets different routes and preferences, based on their TOS value - even though this might be confined to your own network.
The TOS target is only capable of setting specific values, or named values on packets. These predefined TOS values can be found in the kernel include files, or more precisely, the Linux/ip.h file. The reasons are many, and you should actually never need to set any other values; however, there are ways around this limitation. To get around the limitation of only being able to set the named values on packets, you can use the FTOS patch available at the Paksecured Linux Kernel patches site maintained by Matthew G. Marsh. However, be cautious with this patch! You should not need to use any other than the default values, except in extreme cases. |
Note that this target is only valid within the mangle table and can't be used outside it. |
Also note that some old versions (1.2.2 or below) of iptables provided a broken implementation of this target which did not fix the packet checksum upon mangling, hence rendering the packets bad and in need of retransmission. That in turn would most probably lead to further mangling and the connection never working. |
The TOS target only takes one option as described below.
Table 11-19. TOS target options
Option | --set-tos |
Example | iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 |
Explanation | The --set-tos option tells the TOS mangler what TOS value to set onpackets that are matched. The option takes a numeric value, either in hex or in decimal value. As the TOS value consists of 8 bits, the value may be 0-255, or in hex 0x00-0xFF. Note that in the standard TOS target you are limited to using the named values available (which should be more or less standardized), as mentioned in the previous warning. These values are Minimize-Delay (decimal value 16, hex value 0x10), Maximize-Throughput (decimal value 8, hex value 0x08), Maximize-Reliability (decimal value 4, hex value 0x04), Minimize-Cost (decimal value 2, hex 0x02) or Normal-Service (decimal value 0, hex value 0x00). The default value on most packets is Normal-Service, or 0. Note that you can, of course, use the actual names instead of the actual hex values to set the TOS value; in fact this is generally to be recommended, since the values associated with the names may be changed in future. For a complete listing of the "descriptive values", do an iptables -j TOS -h. |
Works under Linux kernel 2.3, 2.4, 2.5 and 2.6. |
- ACCEPT target
- CLASSIFY target
- CLUSTERIP target
- CONNMARK target
- CONNSECMARK target
- DNAT target
- DROP target
- DSCP target
- ECN target
- LOG target options
- MARK target
- MASQUERADE target
- MIRROR target
- NETMAP target
- NFQUEUE target
- NOTRACK target
- QUEUE target
- REDIRECT target
- REJECT target
- RETURN target
- SAME target
- SECMARK target
- SNAT target
- TCPMSS target
- TOS target
- TTL target
- ULOG target
- What's next?
- MASQUERADE target
- SNAT target
- 3.2.3 Target Debug Agent
- 2.4 Mapping Executable Images into Target Embedded Systems
- 3.4 Target System Software Initialization Sequence
- 9.2.5 Target Debug Agent
- Chapter 11. Iptables targets and jumps
- Tos match
- ACCEPT target
- CLASSIFY target
- CLUSTERIP target
- CONNMARK target