AS1024
/
clatd
mirror of https://github.com/toreanderson/clatd
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Decrease priority number for prerouting chain 

This allows for clatd to work OOTB on distros shipping firewalls that do
reverse-path filtering based on conntrack marks in the "mangle" priority
(i.e. -150).
This commit is contained in:
Jared Baur 2025-03-17 13:35:52 -07:00
parent f91d96b991
commit f86f1cabb8
No known key found for this signature in database
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
clatd
View File

@ -1055,13 +1055,13 @@ if(cfgint("ctmark")) {
or err("'nft -f-' failed to execute"); or err("'nft -f-' failed to execute");
print $fd "add table ip6 clatd\n"; print $fd "add table ip6 clatd\n";
print $fd "add chain ip6 clatd prerouting ", print $fd "add chain ip6 clatd prerouting ",
"{ type filter hook prerouting priority 0; }\n"; "{ type filter hook prerouting priority mangle; }\n";
print $fd "add rule ip6 clatd prerouting", print $fd "add rule ip6 clatd prerouting",
" iif ", cfg("clat-dev"), " iif ", cfg("clat-dev"),
" ip6 saddr ", cfg("clat-v6-addr"), " ip6 saddr ", cfg("clat-v6-addr"),
" ip6 daddr ", cfg("plat-prefix"), " ip6 daddr ", cfg("plat-prefix"),
" ct mark set ", cfgint("ctmark"), " ct mark set ", cfgint("ctmark"),
# set meta mark as well, to placate firewalld's IPv6_rpfilter # set meta mark as well, to placate firewalld's IPv6_rpfilter and NixOS' rpfilter rules
" meta mark set ", cfgint("ctmark"), " counter\n"; " meta mark set ", cfgint("ctmark"), " counter\n";
print $fd "add rule ip6 clatd prerouting", print $fd "add rule ip6 clatd prerouting",
" iif ", cfg("plat-dev"), " iif ", cfg("plat-dev"),