Fix auto_redirect on IPv6-only or IPv4-only servers

Skip tun interface traffic in prerouting UDP/ICMP chain
2026-01-28 16:54:33 +08:00 · 2026-01-28 14:34:55 +08:00
2 changed files with 36 additions and 0 deletions
--- a/redirect_nftables.go
+++ b/redirect_nftables.go
@@ -182,6 +182,25 @@ func (r *autoRedirect) setupNFTables() error {
 				},
 			},
 		})
+		nft.AddRule(&nftables.Rule{
+			Table: table,
+			Chain: chainPreRoutingUDP,
+			Exprs: []expr.Any{
+				&expr.Meta{
+					Key:      expr.MetaKeyIIFNAME,
+					Register: 1,
+				},
+				&expr.Cmp{
+					Op:       expr.CmpOpEq,
+					Register: 1,
+					Data:     nftablesIfname(r.tunOptions.Name),
+				},
+				&expr.Counter{},
+				&expr.Verdict{
+					Kind: expr.VerdictReturn,
+				},
+			},
+		})
 		nft.AddRule(&nftables.Rule{
 			Table: table,
 			Chain: chainPreRoutingUDP,
--- a/tun_linux.go
+++ b/tun_linux.go
@@ -617,6 +617,23 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			it.Family = unix.AF_INET6
 			rules = append(rules, it)
 		}
+		// Fallback rules after system default rules (32766: main, 32767: default)
+		// Only reached when main and default tables have no route
+		const fallbackPriority = 32768
+		if p4 {
+			it = netlink.NewRule()
+			it.Priority = fallbackPriority
+			it.Table = t.options.IPRoute2TableIndex
+			it.Family = unix.AF_INET
+			rules = append(rules, it)
+		}
+		if p6 {
+			it = netlink.NewRule()
+			it.Priority = fallbackPriority
+			it.Table = t.options.IPRoute2TableIndex
+			it.Family = unix.AF_INET6
+			rules = append(rules, it)
+		}
 		return rules
 	}
Author	SHA1	Message	Date
世界	42a84746a9	Fix auto_redirect on IPv6-only or IPv4-only servers	2026-01-28 16:54:33 +08:00
世界	7f3af59109	Skip tun interface traffic in prerouting UDP/ICMP chain	2026-01-28 14:34:55 +08:00