Tags: SagerNet/sing-tun
Tags
memmod: be more resilient toward weird PE files pick from WireGuard/wireguard-windows@d991925
Fix system stack rewriting TUN subnet destinations to loopback The acceptLoop was rewriting any TCP destination within the TUN address prefix to 127.0.0.1/::1. This incorrectly caught the gateway address and other subnet addresses, not just the interface address itself.
fix: use NF_REPEAT for NFQUEUE bypass/reset verdicts NF_ACCEPT is a terminal verdict in nftables — when a packet returns from NFQUEUE with NF_ACCEPT, it exits the current chain immediately and continues to the next hook priority. Rules placed after the queue statement in the same chain are never evaluated. This meant that the `ct mark set meta mark` rule (which saves the bypass decision to conntrack for subsequent packets) was dead code. The first SYN packet received the correct mark from NFQUEUE, but conntrack never stored it, so all subsequent packets of the same connection were redirected to sing-box userspace. Fix: use NF_REPEAT instead of NF_ACCEPT for bypass and reset verdicts. NF_REPEAT re-enters the chain from the beginning with the mark already set on skb->mark. Reorder the prematch chain rules so mark-checking rules (ct mark set, reject) come before the queue statement: 1. meta mark == outputMark → ct mark set meta mark, return 2. meta mark == resetMark → reject with tcp reset 3. ct mark == outputMark → return 4. TCP SYN → queue to NFQUEUE This is the standard pattern used by Suricata and other NFQUEUE-based systems (NF_REPEAT + mark-based skip). Tested on Orange Pi Zero 3 (arm64, kernel 6.12.58) with sing-box 1.13.3. Bypass correctly saves ct mark, subsequent packets skip NFQUEUE entirely.
PreviousNext