Skip to content

fix: preserve established connections on service restart #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
brauliobo wants to merge 1 commit into
base: 1.2.1
Choose a base branch
from
Open

fix: preserve established connections on service restart #53

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions files/etc/init.d/pbr
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -815,6 +815,9 @@ nft_file() {
mkdir -p "${i%/*}"
done
{ echo '#!/usr/sbin/nft -f'; echo ''; } > "$nftTempFile"
# Preserve established/related connections that already have a routing mark to prevent breaking existing sessions (e.g., SSH)
echo "add rule inet $nftTable ${nftPrefix}_prerouting ct state established,related meta mark & $fw_mask != 0 return" >> "$nftTempFile"
echo "add rule inet $nftTable ${nftPrefix}_output ct state established,related meta mark & $fw_mask != 0 return" >> "$nftTempFile"
Comment on lines +818 to +820
Copy link

Copilot AI Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic of these rules may not work as intended. They check for meta mark & $fw_mask != 0, which verifies the packet mark, but packet marks are set by nftables rules on each packet and are not persistent across connections.

When the service restarts:

  1. Existing connections remain in conntrack with established/related state
  2. However, packet marks are not saved to conntrack (no ct mark set is used in this codebase)
  3. The first packet from an established connection after restart won't have a mark yet (it's set by subsequent rules in the chain)
  4. Therefore, these rules won't match and won't preserve the connection's routing

To fix this, consider one of these approaches:

  • Save marks to conntrack using ct mark set when initially marking packets, then check ct mark & $fw_mask != 0 here
  • Or simply check for ct state established,related without requiring a mark, allowing established connections to continue with their existing routing
  • Or use meta mark set ct mark to restore marks from conntrack at the start of processing
Suggested change
# Preserve established/related connections that already have a routing mark to prevent breaking existing sessions (e.g., SSH)
echo "add rule inet $nftTable ${nftPrefix}_prerouting ct state established,related meta mark & $fw_mask != 0 return" >> "$nftTempFile"
echo "add rule inet $nftTable ${nftPrefix}_output ct state established,related meta mark & $fw_mask != 0 return" >> "$nftTempFile"
# Preserve established/related connections to prevent breaking existing sessions (e.g., SSH)
echo "add rule inet $nftTable ${nftPrefix}_prerouting ct state established,related return" >> "$nftTempFile"
echo "add rule inet $nftTable ${nftPrefix}_output ct state established,related return" >> "$nftTempFile"

Copilot uses AI. Check for mistakes.
# Insert PBR guards at the top of main caller chains so first PBR match wins, while preserving foreign marks.
for chain in $chainsList; do
echo "add rule inet $nftTable ${nftPrefix}_${chain} ${nftRuleParams:+$nftRuleParams }meta mark & $fw_mask != 0 return" >> "$nftTempFile"
Expand Down