On some kernels (4.19), adding the interception rule to the
inet-mangle-output chain failed.
According to the nftables wiki, the mangle-output chain have (must?) to
be of type Route:
"route type: ... mangle table ... for the output hook (for other
hooks use type filter instead)."
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
So if we fail adding the interception rule, we retry it with type Filter
instead of Route.
Related: #781 , ced9a24
This is part of latest commit ced9a24933
- When reusing a chain, configure the new policy.
- Don't backup existing rules when reloading the configuration.
On some systems after disabling and enabling the interception, the
DNS rule was not being re-added, with error: chain already exists.
When the interception is disabled, we firstly remove the rules,
and secondly if the chain and table is empty we try to remove them
as well.
However, on some systems even if "nft list ruleset" didn't list the
chains to hold our rules, it failed with error "already exists".
Before adding a chain now we check if it exists, and if it does we
reuse it.
Closes#781
* Allow to configure firewall rules from the GUI (WIP)
New features:
- Configure and list system firewall rules from the GUI (nftables).
- Configure chains' policies.
- Add simple rules to allow incoming ports.
- Add simple rules to exclude apps (ports) from being intercepted.
This feature is only available for nftables. iptables is still supported,
you can add rules to the configuration file and they'll be loaded, but
you can't configure them from the GUI.
More information: #592
