Change Nether rule to use raw table for UDP packet.

UDP packets are dropped unexpectedly if those are included into NFQUEUE
simultaneously. This seems to be bug in conntrack, can be avoided
if raw table is used. It requires the kernel support to enable
CONFIG_IP_NF_RAW and change priority in nf_ip_hook_priorities.

Change-Id: I8f3b3e1ecf69a44486757f27c61b34da02f4fb42

diff --git a/conf/nether.rules b/conf/nether.rules
index 6207174..3ab861c 100644 (file)
--- a/conf/nether.rules
+++ b/conf/nether.rules
@@ -17,6 +17,16 @@
 #
 
 # nether iptables rules
+*raw
+:PREROUTING ACCEPT
+:OUTPUT ACCEPT
+:CHECK-LOCALHOST -
+-A OUTPUT -o lo -j CHECK-LOCALHOST
+-A OUTPUT -p udp -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -p udplite -j NFQUEUE --queue-num 0 --queue-bypass
+-A CHECK-LOCALHOST -p udp --dport 53 -j RETURN
+-A CHECK-LOCALHOST -j ACCEPT
+COMMIT
 *mangle
 :PREROUTING ACCEPT
 :INPUT ACCEPT
@@ -27,9 +37,7 @@
 -A INPUT ! -i lo -j SECMARK --selctx System
 -A OUTPUT -o lo -j CHECK-LOCALHOST
 -A OUTPUT -p igmp -j ACCEPT
--A OUTPUT -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
--A OUTPUT -p udplite -j NFQUEUE --queue-num 0 --queue-bypass
--A CHECK-LOCALHOST -p udp --dport 53 -j RETURN
+-A OUTPUT -p tcp -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
 -A CHECK-LOCALHOST -p tcp --dport 53 -j RETURN
 -A CHECK-LOCALHOST -j ACCEPT
 COMMIT