From 0dce13d18fd22b29a140833816933b0ae4dff3ff Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Wed, 22 Jun 2022 10:40:21 +0200
Subject: [PATCH] Fix detection of incoming localhost packets on Linux

---
 firewall/interception/nfq/packet.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/firewall/interception/nfq/packet.go b/firewall/interception/nfq/packet.go
index 46ca3ea5..528f2e3c 100644
--- a/firewall/interception/nfq/packet.go
+++ b/firewall/interception/nfq/packet.go
@@ -141,6 +141,13 @@ func (pkt *packet) Drop() error {
 }
 
 func (pkt *packet) PermanentAccept() error {
+	// If the packet is localhost only, do not permanently accept the outgoing
+	// packet, as the packet mark will be copied to the connection mark, which
+	// will stick and it will bypass the incoming queue.
+	if !pkt.Info().Inbound && pkt.Info().Dst.IsLoopback() {
+		return pkt.Accept()
+	}
+
 	return pkt.mark(MarkAcceptAlways)
 }