Updating IP header - DSCP Marking for egress traffic at egress gateway

[Kunal Ekawde]

Hello Folks,

Need help from members here to comment on possibility of this solution.

I've a requirement to set the dscp bits as part of IP header in the outgoing messages from the egress gateway for a connection(can it be per connection or should be per host?). We are using Istio service mesh on kubernetes cluster.

There was similar case email chain "Manipulating IP headers" in this forum where Matt proposed to use http filter socket options.

I've explored it briefly and seems possible:

1. setsockopt(sockfd, IPPROTO_IP, IP_TOS, &tos_local, sizeof(tos_local)) function is desired and looking at source/common/api/posix/os_sys_calls_impl.cc it seems possible by defining IP_TOS like other fields defined.

2. Invoking this also would need some changes to filter (If I'm getting it right). This is needed for TCP connection. Would it be http filter or router filter ?

3. Trigger to add this.

     This part is not clear. Use case would be -- Application container triggers a HTTP request which is intercepted by local sidecar istio-proxy=envoy --> forwarded to egress gateway pod istio-proxy=envoy. Proposal is to use some http header being introduced at application container which comes up to egress gw and the filter (?) does the match to add the dscp value as specified in header value. I was referring https://github.com/envoyproxy/envoy/blob/main/docs/root/configuration/http/http_filters/router_filter.rst#id1 for some idea.

I'm willing to contribute as well on this.

Comments / suggestions / thoughts welcome.

Thanks,

Kunal

[Kunal Ekawde]

The primary question boils down to:

Is filter the best choice to update IP header in egress traffic ? And If so, which filter best suits ?

Thanks

Kunal