(interception) Linux: respect original packet marks (#1993)

(WireGuard/wg-quick compatibility)
2025-09-03 13:32:07 +03:00
parent f7a8133f81
commit 10589dc725
1 changed files with 12 additions and 0 deletions
--- a/service/firewall/interception/nfqueue_linux.go
+++ b/service/firewall/interception/nfqueue_linux.go
@@ -54,13 +54,22 @@ func init() {
 	}
 	v4rules = []string{
 		// stenya: Preserve original packet marks for permanently allowed connections (connmark 1710/AcceptAlways)
 		// to ensure compatibility with other tools that also rely on packet marks.
 		// This rule is placed before `CONNMARK --restore-mark` to prevent overwriting the original mark.
 		// (Example: WireGuard/wg-quick relies on packet marks; changing them would break its routing).
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-OUTPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark --mark 0 -j NFQUEUE --queue-num 17040 --queue-bypass",
 		// stenya: Preserve original packet marks, similar to the OUTPUT chain (not sure if this is really needed for INPUT).
 		"mangle PORTMASTER-INGEST-INPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-INPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-INPUT -m mark --mark 0 -j NFQUEUE --queue-num 17140 --queue-bypass",
 		"filter PORTMASTER-FILTER -m mark --mark 0 -j DROP",
 		// stenya: Preserve original packet marks.
 		"filter PORTMASTER-FILTER -m connmark --mark 1710 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1700 -j RETURN",
 		// Accepting ICMP packets with mark 1701 is required for rejecting to work,
 		// as the rejection ICMP packet will have the same mark. Blocked ICMP
@@ -100,13 +109,16 @@ func init() {
 	}
 	v6rules = []string{
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-OUTPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark --mark 0 -j NFQUEUE --queue-num 17060 --queue-bypass",
 		"mangle PORTMASTER-INGEST-INPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-INPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-INPUT -m mark --mark 0 -j NFQUEUE --queue-num 17160 --queue-bypass",
 		"filter PORTMASTER-FILTER -m mark --mark 0 -j DROP",
 		"filter PORTMASTER-FILTER -m connmark --mark 1710 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1700 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1701 -p icmpv6 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1701 -j REJECT --reject-with icmp6-adm-prohibited",