From 63db0777f9ab1e2d5001082435b062b8ae8b82bf Mon Sep 17 00:00:00 2001
From: Braulio Oliveira <brauliobo@gmail.com>
Date: Sun, 9 Nov 2025 00:19:11 -0300
Subject: [PATCH] fix: preserve established connections on service restart

Add connection tracking rules to preserve established/related connections
that already have a routing mark when the PBR service restarts. This prevents
existing SSH sessions from being broken when routing rules are flushed and
recreated, while ensuring new connections are properly routed.

The fix adds rules that check for established/related connection state AND
an existing routing mark before returning early, allowing those packets to
continue using their existing routing table without interfering with new
traffic that needs to be processed.
---
 files/etc/init.d/pbr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/files/etc/init.d/pbr b/files/etc/init.d/pbr
index d16a14f..623f01f 100755
--- a/files/etc/init.d/pbr
+++ b/files/etc/init.d/pbr
@@ -815,6 +815,9 @@ nft_file() {
 				mkdir -p "${i%/*}"
 			done
 			{ echo '#!/usr/sbin/nft -f'; echo ''; } > "$nftTempFile"
+			# Preserve established/related connections that already have a routing mark to prevent breaking existing sessions (e.g., SSH)
+			echo "add rule inet $nftTable ${nftPrefix}_prerouting ct state established,related meta mark & $fw_mask != 0 return" >> "$nftTempFile"
+			echo "add rule inet $nftTable ${nftPrefix}_output ct state established,related meta mark & $fw_mask != 0 return" >> "$nftTempFile"
 			# Insert PBR guards at the top of main caller chains so first PBR match wins, while preserving foreign marks.
 			for chain in $chainsList; do
 				echo "add rule inet $nftTable ${nftPrefix}_${chain} ${nftRuleParams:+$nftRuleParams }meta mark & $fw_mask != 0 return" >> "$nftTempFile"