From 4448c09c347995b05c37dc6b87387425023ef40d Mon Sep 17 00:00:00 2001 From: Andrey Petelin Date: Wed, 14 Jan 2026 10:25:03 +0500 Subject: [PATCH 1/3] fix: replace fakeip mark 0x105 with 0x80000 to avoid conflict with mwan3 (#275) --- podkop/files/usr/bin/podkop | 46 +++++++++++++++---------------- podkop/files/usr/lib/constants.sh | 2 ++ 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/podkop/files/usr/bin/podkop b/podkop/files/usr/bin/podkop index d467d68..146c461 100755 --- a/podkop/files/usr/bin/podkop +++ b/podkop/files/usr/bin/podkop @@ -164,12 +164,12 @@ stop_main() { log "Flush ip rule" if ip rule list | grep -q "podkop"; then - ip rule del fwmark 0x105 table podkop priority 105 + ip rule del fwmark "$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 fi log "Flush ip route" - if ip route list table podkop > /dev/null 2>&1; then - ip route flush table podkop + if ip route list table "$RT_TABLE_NAME" > /dev/null 2>&1; then + ip route flush table "$RT_TABLE_NAME" fi log "Stop sing-box" @@ -251,20 +251,18 @@ br_netfilter_disable() { # Main funcs route_table_rule_mark() { - local table=podkop + grep -q "105 $RT_TABLE_NAME" /etc/iproute2/rt_tables || echo "105 $RT_TABLE_NAME" >> /etc/iproute2/rt_tables - grep -q "105 $table" /etc/iproute2/rt_tables || echo "105 $table" >> /etc/iproute2/rt_tables - - if ! ip route list table $table | grep -q "local default dev lo scope host"; then + if ! ip route list table "$RT_TABLE_NAME" 2>/dev/null | grep -q "local default dev lo scope host"; then log "Added route for tproxy" "debug" - ip route add local 0.0.0.0/0 dev lo table $table + ip route add local 0.0.0.0/0 dev lo table "$RT_TABLE_NAME" else log "Route for tproxy exists" "debug" fi - if ! ip rule list | grep -q "from all fwmark 0x105 lookup $table"; then + if ! ip rule list | grep -q "from all fwmark $NFT_FAKEIP_MARK lookup $RT_TABLE_NAME"; then log "Create marking rule" "debug" - ip -4 rule add fwmark 0x105 table $table priority 105 + ip -4 rule add fwmark "$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 else log "Marking rule exist" "debug" fi @@ -314,19 +312,19 @@ create_nft_rules() { nft add chain inet "$NFT_TABLE_NAME" mangle_output '{ type route hook output priority -150; policy accept; }' nft add chain inet "$NFT_TABLE_NAME" proxy '{ type filter hook prerouting priority -100; policy accept; }' - nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set 0x105 counter - nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set 0x105 counter - nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set 0x105 counter - nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set 0x105 counter + nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter + nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter + nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter + nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter - nft add rule inet "$NFT_TABLE_NAME" proxy meta mark 0x105 meta l4proto tcp tproxy ip to 127.0.0.1:1602 counter - nft add rule inet "$NFT_TABLE_NAME" proxy meta mark 0x105 meta l4proto udp tproxy ip to 127.0.0.1:1602 counter + nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto tcp tproxy ip to 127.0.0.1:1602 counter + nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto udp tproxy ip to 127.0.0.1:1602 counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_LOCALV4_SET_NAME" return - nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set 0x105 counter - nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set 0x105 counter - nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set 0x105 counter - nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set 0x105 counter + nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter + nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter + nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter + nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter local exclude_ntp config_get_bool exclude_ntp "settings" "exclude_ntp" "0" @@ -1273,7 +1271,7 @@ import_community_service_subnet_list_handler() { URL=$SUBNETS_DISCORD nft_create_ipv4_set "$NFT_TABLE_NAME" "$NFT_DISCORD_SET_NAME" nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr \ - "@$NFT_DISCORD_SET_NAME" udp dport '{ 50000-65535 }' meta mark set 0x105 counter + "@$NFT_DISCORD_SET_NAME" udp dport '{ 50000-65535 }' meta mark set "$NFT_FAKEIP_MARK" counter ;; *) return 0 ;; esac @@ -1562,8 +1560,10 @@ nft_list_all_traffic_from_ip() { local ip="$1" if ! nft list chain inet "$NFT_TABLE_NAME" mangle | grep -q "ip saddr $ip"; then - nft insert rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip saddr "$ip" meta l4proto tcp meta mark set 0x105 counter - nft insert rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip saddr "$ip" meta l4proto udp meta mark set 0x105 counter + nft insert rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip saddr "$ip" \ + meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter + nft insert rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip saddr "$ip" \ + meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter nft insert rule inet "$NFT_TABLE_NAME" mangle ip saddr "$ip" ip daddr @localv4 return fi } diff --git a/podkop/files/usr/lib/constants.sh b/podkop/files/usr/lib/constants.sh index 4c6a490..90bf40a 100644 --- a/podkop/files/usr/lib/constants.sh +++ b/podkop/files/usr/lib/constants.sh @@ -12,6 +12,7 @@ TMP_RULESET_FOLDER="$TMP_SING_BOX_FOLDER/rulesets" CLOUDFLARE_OCTETS="8.47 162.159 188.114" # Endpoints https://github.com/ampetelin/warp-endpoint-checker JQ_REQUIRED_VERSION="1.7.1" COREUTILS_BASE64_REQUIRED_VERSION="9.7" +RT_TABLE_NAME="podkop" ## nft NFT_TABLE_NAME="PodkopTable" @@ -19,6 +20,7 @@ NFT_LOCALV4_SET_NAME="localv4" NFT_COMMON_SET_NAME="podkop_subnets" NFT_DISCORD_SET_NAME="podkop_discord_subnets" NFT_INTERFACE_SET_NAME="interfaces" +NFT_FAKEIP_MARK="0x80000" ## sing-box SB_REQUIRED_VERSION="1.12.0" From 1e9a7bffa4449e4745ed76d1aef9c995d8d9efae Mon Sep 17 00:00:00 2001 From: Andrey Petelin Date: Wed, 14 Jan 2026 10:29:13 +0500 Subject: [PATCH 2/3] fix: avoid outbound traffic loop by adding NFT_OUTBOUND_MARK (0x90000) and mangle_output return rule (#248) --- podkop/files/usr/bin/podkop | 1 + podkop/files/usr/lib/constants.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/podkop/files/usr/bin/podkop b/podkop/files/usr/bin/podkop index 146c461..813c2bd 100755 --- a/podkop/files/usr/bin/podkop +++ b/podkop/files/usr/bin/podkop @@ -321,6 +321,7 @@ create_nft_rules() { nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto udp tproxy ip to 127.0.0.1:1602 counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_LOCALV4_SET_NAME" return + nft add rule inet "$NFT_TABLE_NAME" mangle_output meta mark "$NFT_OUTBOUND_MARK" counter return nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter diff --git a/podkop/files/usr/lib/constants.sh b/podkop/files/usr/lib/constants.sh index 90bf40a..c8cb47b 100644 --- a/podkop/files/usr/lib/constants.sh +++ b/podkop/files/usr/lib/constants.sh @@ -21,6 +21,7 @@ NFT_COMMON_SET_NAME="podkop_subnets" NFT_DISCORD_SET_NAME="podkop_discord_subnets" NFT_INTERFACE_SET_NAME="interfaces" NFT_FAKEIP_MARK="0x80000" +NFT_OUTBOUND_MARK="0x90000" ## sing-box SB_REQUIRED_VERSION="1.12.0" From a40240bb3f23b1a3618d58739c33c7ce04176ad1 Mon Sep 17 00:00:00 2001 From: Andrey Petelin Date: Wed, 14 Jan 2026 14:09:51 +0500 Subject: [PATCH 3/3] fix: use fwmark/mask and bitwise meta mark comparison to correctly match packet marks --- podkop/files/usr/bin/podkop | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/podkop/files/usr/bin/podkop b/podkop/files/usr/bin/podkop index 813c2bd..5f2dc9e 100755 --- a/podkop/files/usr/bin/podkop +++ b/podkop/files/usr/bin/podkop @@ -164,7 +164,7 @@ stop_main() { log "Flush ip rule" if ip rule list | grep -q "podkop"; then - ip rule del fwmark "$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 + ip rule del fwmark "$NFT_FAKEIP_MARK"/"$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 fi log "Flush ip route" @@ -260,9 +260,9 @@ route_table_rule_mark() { log "Route for tproxy exists" "debug" fi - if ! ip rule list | grep -q "from all fwmark $NFT_FAKEIP_MARK lookup $RT_TABLE_NAME"; then + if ! ip rule list | grep -q "from all fwmark $NFT_FAKEIP_MARK/$NFT_FAKEIP_MARK lookup $RT_TABLE_NAME"; then log "Create marking rule" "debug" - ip -4 rule add fwmark "$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 + ip -4 rule add fwmark "$NFT_FAKEIP_MARK"/"$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 else log "Marking rule exist" "debug" fi @@ -317,8 +317,8 @@ create_nft_rules() { nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter - nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto tcp tproxy ip to 127.0.0.1:1602 counter - nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto udp tproxy ip to 127.0.0.1:1602 counter + nft add rule inet "$NFT_TABLE_NAME" proxy meta mark \& "$NFT_FAKEIP_MARK" == "$NFT_FAKEIP_MARK" meta l4proto tcp tproxy ip to 127.0.0.1:1602 counter + nft add rule inet "$NFT_TABLE_NAME" proxy meta mark \& "$NFT_FAKEIP_MARK" == "$NFT_FAKEIP_MARK" meta l4proto udp tproxy ip to 127.0.0.1:1602 counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_LOCALV4_SET_NAME" return nft add rule inet "$NFT_TABLE_NAME" mangle_output meta mark "$NFT_OUTBOUND_MARK" counter return