From ef8b8a28912e7979098b9f94294c8f23fc3aa81b Mon Sep 17 00:00:00 2001
From: Viktor Liu <17948409+lixmal@users.noreply.github.com>
Date: Fri, 25 Apr 2025 12:43:20 +0200
Subject: [PATCH] [client] Ensure dst-type local marks can overwrite nat marks
 (#3738)

---
 client/firewall/iptables/router_linux.go | 4 +++-
 client/firewall/nftables/router_linux.go | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/client/firewall/iptables/router_linux.go b/client/firewall/iptables/router_linux.go
index b59c88580..bb799b99b 100644
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -631,7 +631,9 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 		"-j", "MARK", "--set-mark", fmt.Sprintf("%#x", markValue),
 	)
 
-	if err := r.iptablesClient.Append(tableMangle, chainRTPRE, rule...); err != nil {
+	// Ensure nat rules come first, so the mark can be overwritten.
+	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
+	if err := r.iptablesClient.Insert(tableMangle, chainRTPRE, 1, rule...); err != nil {
 		// TODO: rollback ipset counter
 		return fmt.Errorf("error while adding marking rule for %s: %v", pair.Destination, err)
 	}
diff --git a/client/firewall/nftables/router_linux.go b/client/firewall/nftables/router_linux.go
index c2ba2a072..0f6c5bdf6 100644
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -666,7 +666,9 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 		}
 	}
 
-	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
+	// Ensure nat rules come first, so the mark can be overwritten.
+	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
+	r.rules[ruleKey] = r.conn.InsertRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameManglePrerouting],
 		Exprs:    exprs,