Skip to content

fix: exclude loopback from NFQUEUE interception on Linux #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rsyuzyov wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

fix: exclude loopback from NFQUEUE interception on Linux #165

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions Linux/src/ProxyBridge.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2732,12 +2732,15 @@ bool ProxyBridge_Start(void)

// setup iptables rules for packet interception - USE MANGLE table so it runs BEFORE nat
log_message("setting up iptables rules");
// mangle table runs before nat, so we can mark packets there
// mangle table runs before nat, so we can mark packets there.
// Exclude loopback first: local (lo) traffic must never be queued and reinjected,
// otherwise non-trivial 127.0.0.0/8 responses stall. Loopback never needs proxying.
int ret0 = run_iptables_cmd("-t", "mangle", "-A", "OUTPUT", "-o", "lo", "-j", "ACCEPT", NULL, NULL, NULL, NULL, NULL, NULL);
int ret1 = run_iptables_cmd("-t", "mangle", "-A", "OUTPUT", "-p", "tcp", "-j", "NFQUEUE", "--queue-num", "0", NULL, NULL, NULL, NULL);
int ret2 = run_iptables_cmd("-t", "mangle", "-A", "OUTPUT", "-p", "udp", "-j", "NFQUEUE", "--queue-num", "0", NULL, NULL, NULL, NULL);
Comment on lines +2738 to 2740

if (ret1 != 0 || ret2 != 0) {
log_message("failed to add iptables rules ret1=%d ret2=%d", ret1, ret2);
if (ret0 != 0 || ret1 != 0 || ret2 != 0) {
Comment on lines +2738 to +2742
log_message("failed to add iptables rules ret0=%d ret1=%d ret2=%d", ret0, ret1, ret2);
} else {
log_message("iptables nfqueue rules added successfully");
}
Expand Down Expand Up @@ -2779,10 +2782,12 @@ bool ProxyBridge_Stop(void)
running = false;

// cleanup iptables
int ret0 = run_iptables_cmd("-t", "mangle", "-D", "OUTPUT", "-o", "lo", "-j", "ACCEPT", NULL, NULL, NULL, NULL, NULL, NULL);
int ret1 = run_iptables_cmd("-t", "mangle", "-D", "OUTPUT", "-p", "tcp", "-j", "NFQUEUE", "--queue-num", "0", NULL, NULL, NULL, NULL);
int ret2 = run_iptables_cmd("-t", "mangle", "-D", "OUTPUT", "-p", "udp", "-j", "NFQUEUE", "--queue-num", "0", NULL, NULL, NULL, NULL);
int ret3 = run_iptables_cmd("-t", "nat", "-D", "OUTPUT", "-p", "tcp", "-m", "mark", "--mark", "1", "-j", "REDIRECT", "--to-port", "34010");
int ret4 = run_iptables_cmd("-t", "nat", "-D", "OUTPUT", "-p", "udp", "-m", "mark", "--mark", "2", "-j", "REDIRECT", "--to-port", "34011");
(void)ret0;
(void)ret1;
(void)ret2;
(void)ret3;
Expand Down Expand Up @@ -3041,6 +3046,7 @@ static void library_cleanup(void)
{
// Even if not running, ensure iptables rules are removed
// This handles cases where the app crashed before calling Stop
run_iptables_cmd("-t", "mangle", "-D", "OUTPUT", "-o", "lo", "-j", "ACCEPT", NULL, NULL, NULL, NULL, NULL, NULL);
run_iptables_cmd("-t", "mangle", "-D", "OUTPUT", "-p", "tcp", "-j", "NFQUEUE", "--queue-num", "0", NULL, NULL, NULL, NULL);
run_iptables_cmd("-t", "mangle", "-D", "OUTPUT", "-p", "udp", "-j", "NFQUEUE", "--queue-num", "0", NULL, NULL, NULL, NULL);
run_iptables_cmd("-t", "nat", "-D", "OUTPUT", "-p", "tcp", "-m", "mark", "--mark", "1", "-j", "REDIRECT", "--to-port", "34010");
Expand Down