Merge pull request #49 from jmbaur/chain-priority

Decrease priority number for prerouting chain. This makes clatd work out of the box on NixOS, which does IPv6 reverse path filtering at priority `mangle + 10`.
2025-03-21 08:19:36 +01:00 · 2025-03-21 08:19:36 +01:00 · 06c567b9cb
parent f812070f60 f86f1cabb8
commit 06c567b9cb
1 changed files with 2 additions and 2 deletions
--- a/4
+++ b/4
@ -1056,13 +1056,13 @@ if(cfgint("ctmark")) {
    or err("'nft -f-' failed to execute");
  print $fd "add table ip6 clatd\n";
  print $fd "add chain ip6 clatd prerouting ",
-            "{ type filter hook prerouting priority 0; }\n";
+            "{ type filter hook prerouting priority mangle; }\n";
  print $fd "add rule ip6 clatd prerouting",
            " iif ", cfg("clat-dev"),
            " ip6 saddr ", cfg("clat-v6-addr"),
            " ip6 daddr ", cfg("plat-prefix"),
            " ct mark set ", cfgint("ctmark"),
-            # set meta mark as well, to placate firewalld's IPv6_rpfilter
+            # set meta mark as well, to placate firewalld's IPv6_rpfilter and NixOS' rpfilter rules
            " meta mark set ", cfgint("ctmark"), " counter\n";
  print $fd "add rule ip6 clatd prerouting",
            " iif ", cfg("plat-dev"),