Dear developers,
is it somehow possible to keep the packet fwmarks which are set by iptables and take them over to the encrypted packets?
I've looked into the source and it seems you mark the whole socket and not the individual packets.
Is that just simpler or is there no easy way to mark individual packets?
We need this feature, so our traffic shaping can still shape the encrypted traffic.
Here Iptables marks the unencrypted vpn traffic with a few different marks (think http,ftp,ack packets,local ips, etc ...) and tc shapes it into multiple queues with different priorities.
If that would be our only traffic, then we'd be done.
Unfortunately there is also massive non-vpn traffic going out on the same interface.
And here i can only shape the unencrypted traffic in detail, but all vpntraffic flows into a single queue.
My only chance would be to reserve a part of the upstream solely for vpn, but that's hardly a solution.
What i would love is Openvpn taking the iptables mark from the original packet and put it on the encrypted packet (or packets if it splits them).
Right now i can only set a single mark for all vpn packets with the --mark option.
But since iptables can do this easily too, this feature is rather useless in this form.
Do you see any chance of implementing this?
Or maybe you got some hints for me, so i can try to implement it myself.
I'm quite familiar with C in general, but got no detailed view yet about the openvpn source.
Thank you.
Linux packet fwmarking
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech