The TOS bits are of historical interest only. Linux does support their use locally, and various Linux firewall documents refer to the bits and their uses. Nevertheless, the fact remains that the TOS bits are not used or examined generally.
The TOS field has been redefined as the Differentiated Services (DS) field for use by the Differentiated Services Control Protocol (DSCP).
For more information on Differentiated Services, see these sources:
• RFC 2474, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers"
• RFC 2475, "An Architecture for Differentiated Services"
• RFC 2990, "Next Steps for the IP QoS Architecture"
• RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP"
• RFC 3260, "New Terminology and Clarifications for Diffserv" unclean filter TABLE MATCH EXTENSION
The specific packet-validity checks performed by the unclean module are not documented. The module is considered to be experimental, and the iptables authors recommend against its use for now.
The following line shows the unclean module syntax. The module takes no arguments:
-m I --match unclean
The unclean extension might be "blessed" by the time this book is published. In the meantime, the module lends itself to an example of the log options:
--log-ip-options iptables -A INPUT -p tcp -m unclean \
-j LOG --log-prefix "UNCLEAN TCP: " \ --log-ip-options \
—log-tcp-sequence --log-tcp-options iptables -A INPUT -m unclean -j DROP
Was this article helpful?