Reid Rankin <[email protected]> writes: > It can also be done in a shell script with nftables (maybe iptables too, > haven't tried) by taking advantage of fwmark passthrough. You can have one > rule that matches incoming outgoing packets (heh) with a certain dscp value > and marks them, and another rule that matches outgoing outgoing packets > with that mark and sets the DSCP bits back.
The fwmark is not passed through wireguard, though, it's cleared during skb scrubbing: https://elixir.bootlin.com/linux/latest/source/net/core/skbuff.c#L5344 There's an fwmark config that you can set which will make wireguard apply a certain mark to all outgoing packets, but that has nothing to do with what was set on the inner packet... -Toke
