From 729ded0c6125e05f69a22ee55302555eb10246cf Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Fri, 9 May 2025 11:17:21 +0300
Subject: [PATCH] nfqws: conntrack workaround TTL=1

---
 nfq/desync.c | 15 ++++++++++++---
 nfq/nfqws.c  |  4 +---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/nfq/desync.c b/nfq/desync.c
index b68db11..e5efc00 100644
--- a/nfq/desync.c
+++ b/nfq/desync.c
@@ -564,9 +564,18 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct
 	if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp)))
 	{
 		DLOG("applying linux postnat conntrack workaround\n");
-		// make ip protocol invalid
-		if (ip6) ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255;
-		if (ip) ip->ip_p = 255; // this also makes ipv4 header checksum invalid
+		// make ip protocol invalid and low TTL
+		if (ip6)
+		{
+			ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255;
+			ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = 1;
+		}
+		if (ip)
+		{
+			// this likely also makes ipv4 header checksum invalid
+			ip->ip_p = 255;
+			ip->ip_ttl = 1;
+		}
 		return VERDICT_MODIFY | VERDICT_NOCSUM;
 	}
 #endif
diff --git a/nfq/nfqws.c b/nfq/nfqws.c
index b860b4a..9455201 100644
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@@ -296,6 +296,7 @@ static int nfq_main(void)
 		return 1;
 	}
 
+	sec_harden();
 	if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
 		goto err;
 	print_id();
@@ -307,9 +308,6 @@ static int nfq_main(void)
 
 	if (params.daemon) daemonize();
 
-	// do it only after daemonize because daemonize needs fork
-	sec_harden();
-
 	if (Fpid)
 	{
 		if (fprintf(Fpid, "%d", getpid())<=0)