From fe7d14636065ec743738720c69d5e11d61ada9eb Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Fri, 24 Apr 2020 10:58:39 +0200
Subject: [PATCH] Switch from ACCEPT to RETURN when accepting a
 packet/connection with iptables

This will ensure the Portmaster will not circumvent existing firewall rules.
---
 firewall/interception/nfqueue_linux.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/firewall/interception/nfqueue_linux.go b/firewall/interception/nfqueue_linux.go
index 48cebadc..312478cb 100644
--- a/firewall/interception/nfqueue_linux.go
+++ b/firewall/interception/nfqueue_linux.go
@@ -45,14 +45,14 @@ func init() {
 		"mangle C171 -m mark --mark 0 -j NFQUEUE --queue-num 17140 --queue-bypass",
 
 		"filter C17 -m mark --mark 0 -j DROP",
-		"filter C17 -m mark --mark 1700 -j ACCEPT",
+		"filter C17 -m mark --mark 1700 -j RETURN",
 		"filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp-host-prohibited",
 		"filter C17 -m mark --mark 1702 -j DROP",
 		"filter C17 -j CONNMARK --save-mark",
-		"filter C17 -m mark --mark 1710 -j ACCEPT",
+		"filter C17 -m mark --mark 1710 -j RETURN",
 		"filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp-host-prohibited",
 		"filter C17 -m mark --mark 1712 -j DROP",
-		"filter C17 -m mark --mark 1717 -j ACCEPT",
+		"filter C17 -m mark --mark 1717 -j RETURN",
 	}
 
 	v4once = []string{
@@ -80,14 +80,14 @@ func init() {
 		"mangle C171 -m mark --mark 0 -j NFQUEUE --queue-num 17160 --queue-bypass",
 
 		"filter C17 -m mark --mark 0 -j DROP",
-		"filter C17 -m mark --mark 1700 -j ACCEPT",
+		"filter C17 -m mark --mark 1700 -j RETURN",
 		"filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp6-adm-prohibited",
 		"filter C17 -m mark --mark 1702 -j DROP",
 		"filter C17 -j CONNMARK --save-mark",
-		"filter C17 -m mark --mark 1710 -j ACCEPT",
+		"filter C17 -m mark --mark 1710 -j RETURN",
 		"filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp6-adm-prohibited",
 		"filter C17 -m mark --mark 1712 -j DROP",
-		"filter C17 -m mark --mark 1717 -j ACCEPT",
+		"filter C17 -m mark --mark 1717 -j RETURN",
 	}
 
 	v6once = []string{