mirror of https://github.com/SagerNet/sing-tun.git synced 2026-04-22 16:07:19 +08:00

T

Andrew Novikov 0e4cdbbc61 fix: use NF_REPEAT for NFQUEUE bypass/reset verdicts

NF_ACCEPT is a terminal verdict in nftables — when a packet returns
from NFQUEUE with NF_ACCEPT, it exits the current chain immediately
and continues to the next hook priority. Rules placed after the queue
statement in the same chain are never evaluated.

This meant that the `ct mark set meta mark` rule (which saves the
bypass decision to conntrack for subsequent packets) was dead code.
The first SYN packet received the correct mark from NFQUEUE, but
conntrack never stored it, so all subsequent packets of the same
connection were redirected to sing-box userspace.

Fix: use NF_REPEAT instead of NF_ACCEPT for bypass and reset verdicts.
NF_REPEAT re-enters the chain from the beginning with the mark already
set on skb->mark. Reorder the prematch chain rules so mark-checking
rules (ct mark set, reject) come before the queue statement:

  1. meta mark == outputMark → ct mark set meta mark, return
  2. meta mark == resetMark → reject with tcp reset
  3. ct mark == outputMark → return
  4. TCP SYN → queue to NFQUEUE

This is the standard pattern used by Suricata and other NFQUEUE-based
systems (NF_REPEAT + mark-based skip).

Tested on Orange Pi Zero 3 (arm64, kernel 6.12.58) with sing-box 1.13.3.
Bypass correctly saves ct mark, subsequent packets skip NFQUEUE entirely.

2026-03-17 10:58:45 +08:00

.github

Update golangci-lint

2025-09-22 12:51:12 +08:00

internal

Prevent panic when wintun dll fails to load

2025-09-09 18:04:19 +08:00

ping

Apply ping destination filter for Windows

2025-12-01 08:47:38 +08:00

.gitignore

Update golangci-lint

2025-09-22 12:51:12 +08:00

.golangci.yml

Update golangci-lint

2025-09-22 12:51:12 +08:00

go.mod

Update dependencies

2026-03-02 06:50:15 +08:00

go.sum

Update dependencies

2026-03-02 06:50:15 +08:00

LICENSE

Init commit

2022-07-11 17:15:22 +08:00

Makefile

Add ping client

2025-08-23 16:16:28 +08:00

monitor_android.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

monitor_darwin.go

Better atomic using

2025-03-19 20:37:02 +08:00

monitor_linux_default.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

monitor_linux.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

monitor_other.go

Add mixed stack

2023-08-12 19:38:06 +08:00

monitor_shared.go

Replace usages of common/atomic

2025-08-25 19:59:21 +08:00

monitor_windows.go

Better atomic using

2025-03-19 20:37:02 +08:00

monitor.go

Add DefaultInterfaceMonitor.MyInterface

2025-06-20 13:14:37 +08:00

nfqueue_linux.go

fix: use NF_REPEAT for NFQUEUE bypass/reset verdicts

2026-03-17 10:58:45 +08:00

packages_android.go

Use new fswatcher to udpate android packages

2024-06-26 11:02:47 +08:00

packages_stub.go

Use new fswatcher to udpate android packages

2024-06-26 11:02:47 +08:00

packages.go

Use new fswatcher to udpate android packages

2024-06-26 11:02:47 +08:00

README.md

Fix system stack for ios

2023-04-17 20:02:10 +08:00

redirect_iptables.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

redirect_linux.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

redirect_nftables_exprs.go

Add loopback address support

2025-06-20 13:14:58 +08:00

redirect_nftables_rules_openwrt.go

test: Add log for fw4 reload error

2025-08-03 00:12:24 +08:00

redirect_nftables_rules.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

redirect_nftables.go

fix: use NF_REPEAT for NFQUEUE bypass/reset verdicts

2026-03-17 10:58:45 +08:00

redirect_route_linux.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

redirect_server.go

Replace usages of common/atomic

2025-08-25 19:59:21 +08:00

redirect_stub.go

Add auto-redirect

2024-06-07 15:48:43 +08:00

redirect.go

Add pre-matching support for auto redirect

2025-12-26 14:44:55 +08:00

route_direct.go

Revert "ping: Increate mapping capacity"

2025-08-26 23:54:57 +08:00

stack_gvisor_filter.go

Improve darwin tun performance

2025-07-17 23:46:08 +08:00

stack_gvisor_icmp.go

ping: Fix read ICMPv6 from gVisor

2025-09-09 23:22:25 +08:00

stack_gvisor_lazy.go

Fix error usages

2025-06-20 12:47:57 +08:00

stack_gvisor_log.go

Add handshake interface support for gVisor UDP

2023-08-07 20:32:32 +08:00

stack_gvisor_stub.go

Add mixed stack

2023-08-12 19:38:06 +08:00

stack_gvisor_tcp.go

Fix gvisor loopback address

2025-08-27 16:35:53 +08:00

stack_gvisor_tcpbuf_default.go

Remove unused ICMP replies & Improve tcpbuf options

2024-11-08 12:15:52 +08:00

stack_gvisor_tcpbuf_ios.go

Remove unused ICMP replies & Improve tcpbuf options

2024-11-08 12:15:52 +08:00

stack_gvisor_udp.go

Pass timeout to PrepareConnection

2025-08-24 18:59:55 +08:00

stack_gvisor.go

ping: Add gVisor destination

2025-08-24 10:36:16 +08:00

stack_mixed.go

Fix darwin batch loop not exit on EBADF

2026-03-05 20:35:38 +08:00

stack_system_nat.go

Fix race codes

2025-09-12 18:02:59 +08:00

stack_system_nonwindows.go

Retry system listen

2024-10-14 22:10:23 +08:00

stack_system_packet.go

Add ping proxy support

2025-08-22 10:56:12 +08:00

stack_system_windows.go

Fix system stack

2025-07-21 09:44:17 +08:00

stack_system.go

Fix darwin batch loop not exit on EBADF

2026-03-05 20:35:38 +08:00

stack.go

Add pre-matching support for auto redirect

2025-12-26 14:44:55 +08:00

tun_darwin_gvisor.go

Fix darwin WritePacket

2025-07-18 11:00:19 +08:00

tun_darwin.go

Fix darwin batch read not exit on stop

2026-01-15 02:08:56 +08:00

tun_linux_flags.go

Copy UDP GSO support from tailscale

2024-11-23 12:58:52 +08:00

tun_linux_gvisor.go

Fix udp/icmp not work on gso with mixed stack

2026-03-03 23:48:15 +08:00

tun_linux.go

Improve error messages for Linux TUN and redirect operations

2026-03-15 14:43:38 +08:00

tun_nondarwin.go

Add system stack

2022-09-08 18:11:26 +08:00

tun_nonlinux.go

Add GSO support

2023-12-21 16:51:06 +08:00

tun_offload_errors.go

Copy UDP GSO support from tailscale

2024-11-23 12:58:52 +08:00

tun_offload_linux.go

Update golangci-lint

2025-09-22 12:51:12 +08:00

tun_offload.go

Copy UDP GSO support from tailscale

2024-11-23 12:58:52 +08:00

tun_other.go

Add create tun from file descriptor

2023-02-26 17:11:24 +08:00

tun_rules.go

Fix generate darwin rules

2025-02-17 21:56:54 +08:00

tun_windows_gvisor.go

Improve darwin tun performance

2025-07-17 23:46:08 +08:00

tun_windows.go

Skip strict routing on Windows versions below 10

2026-01-17 18:16:51 +08:00

tun.go

Fix auto_redirect fallback rule

2026-01-29 13:34:49 +08:00

README.md

sing-tun

Simple transparent proxy library.

For Linux, Windows, macOS and iOS.

License

Copyright (C) 2022 by nekohasekai <contact-sagernet@sekai.icu>

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.