intercept RELATED packets

We must intercept RELATED packets, not only for intercept protocols like ftp-data, but also to handle connection errors (ICMP errors), like the ones originated when dis/connecting from a wifi network.
gustavo-iniguez-goya · Jul 25, 2020 · 08245a0 · 08245a0
1 parent c0fb84a
commit 08245a0
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/daemon/firewall/rules.go b/daemon/firewall/rules.go
@@ -34,7 +34,7 @@ var (
 	// check that rules are loaded every 5s
 	rulesChecker       = time.NewTicker(time.Second * 20)
 	rulesCheckerChan   = make(chan bool)
-	regexRulesQuery, _ = regexp.Compile(`NFQUEUE.*ctstate NEW.*NFQUEUE num.*bypass`)
+	regexRulesQuery, _ = regexp.Compile(`NFQUEUE.*ctstate NEW,RELATED.*NFQUEUE num.*bypass`)
 	regexDropQuery, _  = regexp.Compile(`DROP.*mark match 0x18ba5`)
 )
 
@@ -79,15 +79,13 @@ func QueueDNSResponses(enable bool, qNum int) (err error) {
 
 // QueueConnections inserts the firewall rule which redirects connections to us.
 // They are queued until the user denies/accept them, or reaches a timeout.
-// OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass
+// OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass
 func QueueConnections(enable bool, qNum int) (err error) {
-	regexRulesQuery, _ = regexp.Compile(fmt.Sprint(`NFQUEUE.*ctstate NEW.*NFQUEUE num `, qNum, ` bypass`))
-
 	return RunRule(ADD, enable, []string{
 		"OUTPUT",
 		"-t", "mangle",
 		"-m", "conntrack",
-		"--ctstate", "NEW",
+		"--ctstate", "NEW,RELATED",
 		"-j", "NFQUEUE",
 		"--queue-num", fmt.Sprintf("%d", qNum),
 		"--queue-bypass",