From a0b994ce22cb77a448b223616c11e4a223744203 Mon Sep 17 00:00:00 2001
From: Haruue <i@haruue.moe>
Date: Mon, 26 Feb 2024 15:43:14 +0800
Subject: [PATCH] fix: verdict is missing for multicast packets

---
 io/nfqueue.go | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/io/nfqueue.go b/io/nfqueue.go
index 77b4141..a4e5e2f 100644
--- a/io/nfqueue.go
+++ b/io/nfqueue.go
@@ -138,9 +138,10 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
 func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error {
 	err := n.n.RegisterWithErrorFunc(ctx,
 		func(a nfqueue.Attribute) int {
-			if a.PacketID == nil || a.Ct == nil || a.Payload == nil || len(*a.Payload) < 20 {
-				// Invalid packet, ignore
-				// 20 is the minimum possible size of an IP packet
+			if ok, verdict := n.packetAttributeSanityCheck(a); !ok {
+				if a.PacketID != nil {
+					_ = n.n.SetVerdict(*a.PacketID, verdict)
+				}
 				return 0
 			}
 			p := &nfqueuePacket{
@@ -170,6 +171,25 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
 	return nil
 }
 
+func (n *nfqueuePacketIO) packetAttributeSanityCheck(a nfqueue.Attribute) (ok bool, verdict int) {
+	if a.PacketID == nil {
+		// Re-inject to NFQUEUE is actually not possible in this condition
+		return false, -1
+	}
+	if a.Payload == nil || len(*a.Payload) < 20 {
+		// 20 is the minimum possible size of an IP packet
+		return false, nfqueue.NfDrop
+	}
+	if a.Ct == nil {
+		// Multicast packets may not have a conntrack, but only appear in local mode
+		if n.local {
+			return false, nfqueue.NfAccept
+		}
+		return false, nfqueue.NfDrop
+	}
+	return true, -1
+}
+
 func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) error {
 	nP, ok := p.(*nfqueuePacket)
 	if !ok {