Feature: Support copying connmark/fwmark from incoming DNS request to upstream connection #3024

New issue

Open

opened 2026-03-04 02:51:20 -05:00 by deekerman · 0 comments

deekerman commented

2026-03-04 02:51:20 -05:00

Owner

Originally created by @ewildgoose on GitHub (Sep 6, 2021).

Hi, One feature that I need from dnsmasq is the ability to copy the packet mark (or connection mark) from the incoming DNS request, over to the outgoing upstream request.

The purpose of this is to allow monitoring and aggregating of bandwidth data (or blocking the request) by setting per user connmarks. (Actually I also use this for multi-internet connection routing, as different users may be policy routed out through different internet connections, based on the fwmark/connmark assigned to them).

It's a generally useful trick, to be able to persist some user data through some "proxy" type application which otherwise mixes together data from multiple users, but where you still want to be able to do "per user" type network stuff on the otherside of the proxy app, eg choosing upstream internet connections, throttling, marking captive portal users, bandwidth tracking, etc.

In general the way I have implemented this for other little internal services (that I've created) is just to read the fwmark of the first packet (using equiv of getopts(so_socket, sol_mark)), then I set this same mark on the new connection. External firewall rules take care of copying the packet mark to the connection mark. In this way the output connection has the same connmark as the incoming connection. (assuming linux, then conntrack will mark the incoming DNS response with the same mark, ie it groups UDP packets under a kind of virtual "connection")

I have no familiarity with the adguard code. Ideally I'm hoping someone likes this idea and will either implement or send me a quote, but at least if someone more familiar with the code can give me a leg up then I will look to create my own patch and submit. Thanks for listening

Originally created by @ewildgoose on GitHub (Sep 6, 2021). Hi, One feature that I need from dnsmasq is the ability to copy the packet mark (or connection mark) from the incoming DNS request, over to the outgoing upstream request. The purpose of this is to allow monitoring and aggregating of bandwidth data (or blocking the request) by setting per user connmarks. (Actually I also use this for multi-internet connection routing, as different users may be policy routed out through different internet connections, based on the fwmark/connmark assigned to them). It's a generally useful trick, to be able to persist some user data *through* some "proxy" type application which otherwise mixes together data from multiple users, but where you still want to be able to do "per user" type network stuff on the otherside of the proxy app, eg choosing upstream internet connections, throttling, marking captive portal users, bandwidth tracking, etc. In general the way I have implemented this for other little internal services (that I've created) is just to read the fwmark of the first packet (using equiv of getopts(so_socket, sol_mark)), then I set this same mark on the new connection. External firewall rules take care of copying the packet mark to the connection mark. In this way the output connection has the same connmark as the incoming connection. (assuming linux, then conntrack will mark the incoming DNS response with the same mark, ie it groups UDP packets under a kind of virtual "connection") I have no familiarity with the adguard code. Ideally I'm hoping someone likes this idea and will either implement or send me a quote, but at least if someone more familiar with the code can give me a leg up then I will look to create my own patch and submit. Thanks for listening