I am trying to set DSCP codepoints for outgoing packets from an istio/envoy-enabled pod. Wen I do:
$ iptables -t mangle -A OUTPUT -p tcp .... -j DSCP --set-dscp 5
that does not get applied, as seen by tcpdump in the host.
-j LOG rules to various tables/chains to see what’s happening, and I see that the mangle table sees this:
mangle:out IN= OUT=lo SRC=127.0.0.6 DST=10.32.0.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=483 DF PROTO=TCP SPT=41867 DPT=5009 WINDOW=43690 RES=0x00 SYN URGP=0
Here, 10.32.0.8 is the IP address of the pod, which is listening on TCP port 5009 with
nc -lv 5009. Another pod is connecting to it with
nc -v 10.32.0.8 5009. The connection is good and data gets exchanged, except that DSCP markings do not take effect.
It makes no difference if I use the POSTROUTING chain with
-o eth0. The captured packet looks like this:
mangle:postrout IN= OUT=eth0 SRC=10.32.0.8 DST=10.32.0.13 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=15006 DPT=39364 WINDOW=26480 RES=0x00 ACK SYN URGP=0
This is with Istio 1.5.2, Kubernetes 1.18 and the pod’s image is praqma/network-multitool. Istio was installed with defaults, no customization.
Please suggest ideas.
Thanks & Best Regards,