From 02bb6f343d07abe97b35bcaf46915f6257c8340e Mon Sep 17 00:00:00 2001
From: SunBK201 <sunbk201gm@gmail.com>
Date: Mon, 8 Dec 2025 21:26:45 +0800
Subject: [PATCH] fix: update SKIP_PORTS to include port 53 and add
 NftRuleIgnorePorts in nftables

---
 src/internal/netfilter/firewall.go      |  2 +-
 src/internal/server/desync/nftables.go  | 14 ++++++++++----
 src/internal/server/netlink/nftables.go | 11 +++++++----
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/internal/netfilter/firewall.go b/src/internal/netfilter/firewall.go
index 0a77ade..76e7093 100644
--- a/src/internal/netfilter/firewall.go
+++ b/src/internal/netfilter/firewall.go
@@ -25,7 +25,7 @@ const (
 const (
 	LANSET       = "UA3F_LAN"
 	SKIP_IPSET   = "UA3F_SKIP_IPSET"
-	SKIP_PORTS   = "22,51080,51090"
+	SKIP_PORTS   = "22,53,51080,51090"
 	FAKEIP_RANGE = "198.18.0.0/16,198.18.0.1/15,28.0.0.1/8"
 	HELPER_QUEUE = 10301
 	DESYNC_QUEUE = 10901
diff --git a/src/internal/server/desync/nftables.go b/src/internal/server/desync/nftables.go
index d915785..28b994e 100644
--- a/src/internal/server/desync/nftables.go
+++ b/src/internal/server/desync/nftables.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/sunbk201/ua3f/internal/netfilter"
 	"sigs.k8s.io/knftables"
 )
 
@@ -49,7 +50,13 @@ func (s *Server) NftSetDesync(tx *knftables.Transaction, table *knftables.Table)
 		Hook:     knftables.PtrTo(knftables.PostroutingHook),
 		Priority: knftables.PtrTo(knftables.BaseChainPriority("mangle - 30")),
 	}
-	rule := &knftables.Rule{
+	tx.Add(chain)
+
+	tx.Add(&knftables.Rule{
+		Chain: chain.Name,
+		Rule:  netfilter.NftRuleIgnorePorts,
+	})
+	tx.Add(&knftables.Rule{
 		Chain: chain.Name,
 		Rule: knftables.Concat(
 			"ip length > 41",
@@ -60,7 +67,6 @@ func (s *Server) NftSetDesync(tx *knftables.Transaction, table *knftables.Table)
 			fmt.Sprintf("ct packets < %d", s.CtPackets),
 			fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 		),
-	}
-	tx.Add(chain)
-	tx.Add(rule)
+	})
+
 }
diff --git a/src/internal/server/netlink/nftables.go b/src/internal/server/netlink/nftables.go
index b73856c..8339d77 100644
--- a/src/internal/server/netlink/nftables.go
+++ b/src/internal/server/netlink/nftables.go
@@ -121,15 +121,18 @@ func (s *Server) NftHookTCPSyn(tx *knftables.Transaction, table *knftables.Table
 		Priority: knftables.PtrTo(knftables.ManglePriority),
 	}
 	tx.Add(chain)
-	var rule *knftables.Rule
-	rule = &knftables.Rule{
+
+	tx.Add(&knftables.Rule{
+		Chain: chain.Name,
+		Rule:  netfilter.NftRuleIgnorePorts,
+	})
+	tx.Add(&knftables.Rule{
 		Chain: chain.Name,
 		Rule: knftables.Concat(
 			"tcp flags syn",
 			fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 		),
-	}
-	tx.Add(rule)
+	})
 }
 
 func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) {