Mirror/podkop
1
0
Fork 0
mirror of https://github.com/itdoginfo/podkop.git synced 2026-01-27 12:50:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: use fwmark/mask and bitwise meta mark comparison to correctly match packet marks

Browse Source
This commit is contained in:
Andrey Petelin
2026-01-14 14:09:51 +05:00
parent 1e9a7bffa4
commit a40240bb3f
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
podkop/files/usr/bin/podkop
View File

@@ -164,7 +164,7 @@ stop_main() {
log "Flush ip rule" log "Flush ip rule"
if ip rule list | grep -q "podkop"; then if ip rule list | grep -q "podkop"; then
ip rule del fwmark "$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 ip rule del fwmark "$NFT_FAKEIP_MARK"/"$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105
fi fi
log "Flush ip route" log "Flush ip route"
@@ -260,9 +260,9 @@ route_table_rule_mark() {
log "Route for tproxy exists" "debug" log "Route for tproxy exists" "debug"
fi fi
if ! ip rule list | grep -q "from all fwmark $NFT_FAKEIP_MARK lookup $RT_TABLE_NAME"; then if ! ip rule list | grep -q "from all fwmark $NFT_FAKEIP_MARK/$NFT_FAKEIP_MARK lookup $RT_TABLE_NAME"; then
log "Create marking rule" "debug" log "Create marking rule" "debug"
ip -4 rule add fwmark "$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105 ip -4 rule add fwmark "$NFT_FAKEIP_MARK"/"$NFT_FAKEIP_MARK" table "$RT_TABLE_NAME" priority 105
else else
log "Marking rule exist" "debug" log "Marking rule exist" "debug"
fi fi
@@ -317,8 +317,8 @@ create_nft_rules() {
nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set "$NFT_FAKEIP_MARK" counter
nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter nft add rule inet "$NFT_TABLE_NAME" mangle iifname "@$NFT_INTERFACE_SET_NAME" ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set "$NFT_FAKEIP_MARK" counter
nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto tcp tproxy ip to 127.0.0.1:1602 counter nft add rule inet "$NFT_TABLE_NAME" proxy meta mark \& "$NFT_FAKEIP_MARK" == "$NFT_FAKEIP_MARK" meta l4proto tcp tproxy ip to 127.0.0.1:1602 counter
nft add rule inet "$NFT_TABLE_NAME" proxy meta mark "$NFT_FAKEIP_MARK" meta l4proto udp tproxy ip to 127.0.0.1:1602 counter nft add rule inet "$NFT_TABLE_NAME" proxy meta mark \& "$NFT_FAKEIP_MARK" == "$NFT_FAKEIP_MARK" meta l4proto udp tproxy ip to 127.0.0.1:1602 counter
nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_LOCALV4_SET_NAME" return nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_LOCALV4_SET_NAME" return
nft add rule inet "$NFT_TABLE_NAME" mangle_output meta mark "$NFT_OUTBOUND_MARK" counter return nft add rule inet "$NFT_TABLE_NAME" mangle_output meta mark "$NFT_OUTBOUND_MARK" counter return