> "Pavel V. Chjen" wrote: > > 0x60 is out of valid range in dscp matching (: > [root@root linux]# iptables -A FORWARD -m dscp --dscp 0x60 > iptables v1.2.9rc1: DSCP `96` out of range You only have 6 bits of the 8 bits in the ToS to work with for DSCP, (http://www.cisco.com/warp/public/105/dscpvalues.html#dscpandassuredforwardingclasses) and valid values are explicitly 0 through 63 (decimal) (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_r/qrfcmd4.htm#1098678). Your rule used 60(hex), which is 96(decimal) as the error message reported. I got these references, and more, to confirm what I thought I knew about DSCP by asking Google for DSCP and DSCP+size, if that helps for the future. (www.google.com) I hope this helps and that you really do not need 96 different values for the DSCP. Bill -- William Chappell, Software Engineer, Critical Technologies, Inc. Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501 315-793-0248 x148 < bill.chappell@xxxxxxxxxxxx > www.critical.com