From f86f1cabb85d059a7ef83c17954cd7d7d28245ea Mon Sep 17 00:00:00 2001
From: Jared Baur <jaredbaur@fastmail.com>
Date: Mon, 17 Mar 2025 13:35:52 -0700
Subject: [PATCH] Decrease priority number for prerouting chain

This allows for clatd to work OOTB on distros shipping firewalls that do
reverse-path filtering based on conntrack marks in the "mangle" priority
(i.e. -150).
---
 clatd | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/clatd b/clatd
index f3e8ff7..8412267 100755
--- a/clatd
+++ b/clatd
@@ -1055,13 +1055,13 @@ if(cfgint("ctmark")) {
     or err("'nft -f-' failed to execute");
   print $fd "add table ip6 clatd\n";
   print $fd "add chain ip6 clatd prerouting ",
-            "{ type filter hook prerouting priority 0; }\n";
+            "{ type filter hook prerouting priority mangle; }\n";
   print $fd "add rule ip6 clatd prerouting",
             " iif ", cfg("clat-dev"),
             " ip6 saddr ", cfg("clat-v6-addr"),
             " ip6 daddr ", cfg("plat-prefix"),
             " ct mark set ", cfgint("ctmark"),
-            # set meta mark as well, to placate firewalld's IPv6_rpfilter
+            # set meta mark as well, to placate firewalld's IPv6_rpfilter and NixOS' rpfilter rules
             " meta mark set ", cfgint("ctmark"), " counter\n";
   print $fd "add rule ip6 clatd prerouting",
             " iif ", cfg("plat-dev"),