Mirror/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2026-02-03 08:10:34 +03:00
Code Issues Packages Projects Releases Wiki Activity

nftables: use after-srcnat postrouting hook. enable ipfrag notrack

Browse Source
This commit is contained in:
bol-van
2022-03-22 13:58:02 +03:00
parent f3508030b1
commit 38883a67a9
3 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/readme.eng.md
View File

@@ -478,6 +478,13 @@ It must be done manually, `blockcheck.sh` cannot auto fix this for you.
Or just move to `nftables`. You can create hooks with any priority there.
Looks like there's no way to do ipfrag using iptables for forwarded traffic if NAT is present.
`MASQUERADE` is terminating target, after it `NFQUEUE` does not work.
nfqws sees packets with internal network source address. If fragmented NAT does not process them.
This results in attempt to send packets to internet with internal IP address.
You need to use nftables instead with hook priority 101 or higher.
## tpws
tpws is transparent proxy.