I'm trying to set the DSCP bits on DHCP packets. Although the below works fine for udp, the packet is always sent with DSCP of 16. Any ideas?
iptables -t mangle -A FORWARD -p udp -j DSCP --set-dscp 1
iptables -t mangle -A OUTPUT -p udp -j DSCP --set-dscp 1
iptables -t mangle -A PREROUTING -p udp -j DSCP --set-dscp 1
iptables -t mangle -A POSTROUTING -p udp -j DSCP --set-dscp 1
I'm using dhclient - I don't see any option there to set it either.
Looks like dhclient hard codes it here, fyi:
void assemble_udp_ip_header (interface, buf, bufix,
from, to, port, data, len)
struct interface_info *interface;
unsigned char *buf;
unsigned *bufix;
u_int32_t from;
u_int32_t to;
u_int32_t port;
unsigned char *data;
unsigned len;
{
struct ip ip;
struct udphdr udp;
memset (&ip, 0, sizeof ip);
/* Fill out the IP header */
IP_V_SET (&ip, 4);
IP_HL_SET (&ip, 20);
ip.ip_tos = IPTOS_LOWDELAY;
I think DHCP cannot be caught with iptables as it uses RAW sockets that bypass the entire netfilter mechanism. There are some sources that report this here:
http://louwrentius.com/why-filtering-dhcp-traffic-is-not-always-possible-with-iptables.html
https://serverfault.com/questions/297383/unable-to-block-dhcp-and-other-traffic-on-input-chain