(interception) Linux: respect original packet marks (#1993)

(WireGuard/wg-quick compatibility)
2025-09-03 13:32:07 +03:00
parent f7a8133f81
commit 10589dc725
1 changed files with 12 additions and 0 deletions
--- a/service/firewall/interception/nfqueue_linux.go
+++ b/service/firewall/interception/nfqueue_linux.go
@@ -54,13 +54,22 @@ func init() {
 	}

 	v4rules = []string{
+		// stenya: Preserve original packet marks for permanently allowed connections (connmark 1710/AcceptAlways)
+		// to ensure compatibility with other tools that also rely on packet marks.
+		// This rule is placed before `CONNMARK --restore-mark` to prevent overwriting the original mark.
+		// (Example: WireGuard/wg-quick relies on packet marks; changing them would break its routing).
+		"mangle PORTMASTER-INGEST-OUTPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-OUTPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark --mark 0 -j NFQUEUE --queue-num 17040 --queue-bypass",

+		// stenya: Preserve original packet marks, similar to the OUTPUT chain (not sure if this is really needed for INPUT).
+		"mangle PORTMASTER-INGEST-INPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-INPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-INPUT -m mark --mark 0 -j NFQUEUE --queue-num 17140 --queue-bypass",

 		"filter PORTMASTER-FILTER -m mark --mark 0 -j DROP",
+		// stenya: Preserve original packet marks.
+		"filter PORTMASTER-FILTER -m connmark --mark 1710 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1700 -j RETURN",
 		// Accepting ICMP packets with mark 1701 is required for rejecting to work,
 		// as the rejection ICMP packet will have the same mark. Blocked ICMP
@@ -100,13 +109,16 @@ func init() {
 	}

 	v6rules = []string{
+		"mangle PORTMASTER-INGEST-OUTPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-OUTPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark --mark 0 -j NFQUEUE --queue-num 17060 --queue-bypass",

+		"mangle PORTMASTER-INGEST-INPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-INPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-INPUT -m mark --mark 0 -j NFQUEUE --queue-num 17160 --queue-bypass",

 		"filter PORTMASTER-FILTER -m mark --mark 0 -j DROP",
+		"filter PORTMASTER-FILTER -m connmark --mark 1710 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1700 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1701 -p icmpv6 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1701 -j REJECT --reject-with icmp6-adm-prohibited",