Clear external DSCP bits for non-version pools, to prevent trouble for end-users whose networks also use DSCP

quentinmit · quentinmit · commit 975da4547df6 · 2020-03-03T22:50:25.000-05:00
diff --git a/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 b/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4
@@ -34,6 +34,8 @@
 # scripts-test.mit.edu
 -A PREROUTING -d 18.4.86.229 -j test
 
+# Clear external DSCP bits
+-A scripts -j DSCP --set-dscp 0
 # Send Apache-bound traffic to FWM 2 (load-balanced)
 -A scripts -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2
 # Send SMTP-bound traffic to FWM 3 (load-balanced)
@@ -43,9 +45,13 @@
 # Send everything else to FWM 1 (primary)
 -A scripts -m mark --mark 0 -j MARK --set-mark 1
 
+# Clear external DSCP bits
+-A primary -j DSCP --set-dscp 0
 # scripts-primary.mit.edu goes to the primary (FWM 1) on all ports
 -A primary -j MARK --set-mark 1
 
+# Clear external DSCP bits
+-A sipb -j DSCP --set-dscp 0
 # sipb.mit.edu acts like regular scripts for the web ports, everything else goes to i-hate-penguins.xvm.mit.edu (FWM 4)
 -A sipb -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2
 # Also send port 25 there too because the IP is shared with rtfm.mit.edu (fix this after renaming the machine)
@@ -65,6 +71,8 @@
 -A f30 -m tcp -p tcp --dport 78:79 -j RETURN
 -A f30 -m mark --mark 0 -j MARK --set-mark 31
 
+# Clear external DSCP bits
+-A test -j DSCP --set-dscp 0
 # send web traffic to HAProxy and everything else to f20
 -A test -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 92
 -A test -m tcp -p tcp --dport 25 -j MARK --set-mark 23
