Andrew Novikov 0e4cdbbc61 fix: use NF_REPEAT for NFQUEUE bypass/reset verdicts
NF_ACCEPT is a terminal verdict in nftables — when a packet returns
from NFQUEUE with NF_ACCEPT, it exits the current chain immediately
and continues to the next hook priority. Rules placed after the queue
statement in the same chain are never evaluated.

This meant that the `ct mark set meta mark` rule (which saves the
bypass decision to conntrack for subsequent packets) was dead code.
The first SYN packet received the correct mark from NFQUEUE, but
conntrack never stored it, so all subsequent packets of the same
connection were redirected to sing-box userspace.

Fix: use NF_REPEAT instead of NF_ACCEPT for bypass and reset verdicts.
NF_REPEAT re-enters the chain from the beginning with the mark already
set on skb->mark. Reorder the prematch chain rules so mark-checking
rules (ct mark set, reject) come before the queue statement:

  1. meta mark == outputMark → ct mark set meta mark, return
  2. meta mark == resetMark → reject with tcp reset
  3. ct mark == outputMark → return
  4. TCP SYN → queue to NFQUEUE

This is the standard pattern used by Suricata and other NFQUEUE-based
systems (NF_REPEAT + mark-based skip).

Tested on Orange Pi Zero 3 (arm64, kernel 6.12.58) with sing-box 1.13.3.
Bypass correctly saves ct mark, subsequent packets skip NFQUEUE entirely.
2026-03-17 10:58:45 +08:00
2025-09-22 12:51:12 +08:00
2025-09-22 12:51:12 +08:00
2025-09-22 12:51:12 +08:00
2026-03-02 06:50:15 +08:00
2026-03-02 06:50:15 +08:00
2022-07-11 17:15:22 +08:00
2025-08-23 16:16:28 +08:00
2025-03-19 20:37:02 +08:00
2023-08-12 19:38:06 +08:00
2025-03-19 20:37:02 +08:00
2023-04-17 20:02:10 +08:00
2024-06-07 15:48:43 +08:00
2025-06-20 12:47:57 +08:00
2023-08-12 19:38:06 +08:00
2025-08-24 10:36:16 +08:00
2025-09-12 18:02:59 +08:00
2024-10-14 22:10:23 +08:00
2025-08-22 10:56:12 +08:00
2025-07-21 09:44:17 +08:00
2025-07-18 11:00:19 +08:00
2022-09-08 18:11:26 +08:00
2023-12-21 16:51:06 +08:00
2025-09-22 12:51:12 +08:00
2025-02-17 21:56:54 +08:00
2026-01-29 13:34:49 +08:00

sing-tun

Simple transparent proxy library.

For Linux, Windows, macOS and iOS.

License

Copyright (C) 2022 by nekohasekai <contact-sagernet@sekai.icu>

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
S
Description
简单透明的代理库。
Readme 2.2 MiB
Languages
Go 97.9%
Assembly 2%
Makefile 0.1%