Skip to content

Commit dc32f53

Browse files
nekohasekainekohasekai
committed
redirect: Fix UDP rules
1 parent a8ce383 commit dc32f53

File tree

1 file changed

+44
-7
lines changed

1 file changed

+44
-7
lines changed

redirect_nftables.go

Lines changed: 44 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -113,12 +113,6 @@ func (r *autoRedirect) setupNFTables() error {
113113
Priority: nftables.ChainPriorityRef(*nftables.ChainPriorityNATDest + 2),
114114
Type: nftables.ChainTypeFilter,
115115
})
116-
if r.enableIPv4 {
117-
nftablesCreateExcludeDestinationIPSet(nft, table, chainPreRoutingUDP, 5, "inet4_local_address_set", nftables.TableFamilyIPv4, false)
118-
}
119-
if r.enableIPv6 {
120-
nftablesCreateExcludeDestinationIPSet(nft, table, chainPreRoutingUDP, 6, "inet6_local_address_set", nftables.TableFamilyIPv6, false)
121-
}
122116
nft.AddRule(&nftables.Rule{
123117
Table: table,
124118
Chain: chainPreRoutingUDP,
@@ -128,10 +122,19 @@ func (r *autoRedirect) setupNFTables() error {
128122
Register: 1,
129123
},
130124
&expr.Cmp{
131-
Op: expr.CmpOpEq,
125+
Op: expr.CmpOpNeq,
132126
Register: 1,
133127
Data: []byte{unix.IPPROTO_UDP},
134128
},
129+
&expr.Verdict{
130+
Kind: expr.VerdictReturn,
131+
},
132+
},
133+
})
134+
nft.AddRule(&nftables.Rule{
135+
Table: table,
136+
Chain: chainPreRoutingUDP,
137+
Exprs: []expr.Any{
135138
&expr.Ct{
136139
Key: expr.CtKeyMARK,
137140
Register: 1,
@@ -149,6 +152,40 @@ func (r *autoRedirect) setupNFTables() error {
149152
&expr.Counter{},
150153
},
151154
})
155+
nft.AddRule(&nftables.Rule{
156+
Table: table,
157+
Chain: chainPreRoutingUDP,
158+
Exprs: []expr.Any{
159+
&expr.Ct{
160+
Key: expr.CtKeyMARK,
161+
Register: 1,
162+
},
163+
&expr.Cmp{
164+
Op: expr.CmpOpNeq,
165+
Register: 1,
166+
Data: binaryutil.NativeEndian.PutUint32(r.tunOptions.AutoRedirectInputMark),
167+
},
168+
&expr.Immediate{
169+
Register: 1,
170+
Data: binaryutil.NativeEndian.PutUint32(r.tunOptions.AutoRedirectOutputMark),
171+
},
172+
&expr.Meta{
173+
Key: expr.MetaKeyMARK,
174+
Register: 1,
175+
SourceRegister: true,
176+
},
177+
&expr.Meta{
178+
Key: expr.MetaKeyMARK,
179+
Register: 1,
180+
},
181+
&expr.Ct{
182+
Key: expr.CtKeyMARK,
183+
Register: 1,
184+
SourceRegister: true,
185+
},
186+
&expr.Counter{},
187+
},
188+
})
152189
}
153190

154191
err = r.configureOpenWRTFirewall4(nft, false)

0 commit comments

Comments
 (0)