From 3c34bd1fd0158760c9592f5ae089bbeaf7e4f4f0 Mon Sep 17 00:00:00 2001 From: Andrey Petelin Date: Mon, 1 Jun 2026 14:11:14 +0500 Subject: [PATCH] fix: skip connections with DNAT status in NFT mangle chain --- podkop/files/usr/bin/podkop | 1 + 1 file changed, 1 insertion(+) diff --git a/podkop/files/usr/bin/podkop b/podkop/files/usr/bin/podkop index c8b704c..e3af7c0 100755 --- a/podkop/files/usr/bin/podkop +++ b/podkop/files/usr/bin/podkop @@ -312,6 +312,7 @@ create_nft_rules() { nft add chain inet "$NFT_TABLE_NAME" mangle_output '{ type route hook output priority -150; policy accept; }' nft add chain inet "$NFT_TABLE_NAME" proxy '{ type filter hook prerouting priority -100; policy accept; }' + nft add rule inet "$NFT_TABLE_NAME" mangle ct status dnat return nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter