From 1e9a7bffa4449e4745ed76d1aef9c995d8d9efae Mon Sep 17 00:00:00 2001 From: Andrey Petelin Date: Wed, 14 Jan 2026 10:29:13 +0500 Subject: [PATCH] fix: avoid outbound traffic loop by adding NFT_OUTBOUND_MARK (0x90000) and mangle_output return rule (#248) --- podkop/files/usr/bin/podkop | 1 + podkop/files/usr/lib/constants.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/podkop/files/usr/bin/podkop b/podkop/files/usr/bin/podkop index 146c461..813c2bd 100755 --- a/podkop/files/usr/bin/podkop +++ b/podkop/files/usr/bin/podkop @@ -321,6 +321,7 @@ create_nft_rules() { nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto udp tproxy ip to 127.0.0.1:1602 counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_LOCALV4_SET_NAME" return + nft add rule inet "$NFT_TABLE_NAME" mangle_output meta mark "$NFT_OUTBOUND_MARK" counter return nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter diff --git a/podkop/files/usr/lib/constants.sh b/podkop/files/usr/lib/constants.sh index 90bf40a..c8cb47b 100644 --- a/podkop/files/usr/lib/constants.sh +++ b/podkop/files/usr/lib/constants.sh @@ -21,6 +21,7 @@ NFT_COMMON_SET_NAME="podkop_subnets" NFT_DISCORD_SET_NAME="podkop_discord_subnets" NFT_INTERFACE_SET_NAME="interfaces" NFT_FAKEIP_MARK="0x80000" +NFT_OUTBOUND_MARK="0x90000" ## sing-box SB_REQUIRED_VERSION="1.12.0"