fix: update SKIP_PORTS to include port 53 and add NftRuleIgnorePorts in nftables

src/internal/netfilter/firewall.go

@@ -25,7 +25,7 @@ const (
 const (
 	LANSET       = "UA3F_LAN"
 	SKIP_IPSET   = "UA3F_SKIP_IPSET"
-	SKIP_PORTS   = "22,51080,51090"
+	SKIP_PORTS   = "22,53,51080,51090"
 	FAKEIP_RANGE = "198.18.0.0/16,198.18.0.1/15,28.0.0.1/8"
 	HELPER_QUEUE = 10301
 	DESYNC_QUEUE = 10901

src/internal/server/desync/nftables.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/sunbk201/ua3f/internal/netfilter"
 	"sigs.k8s.io/knftables"
 )
 
@@ -49,7 +50,13 @@ func (s *Server) NftSetDesync(tx *knftables.Transaction, table *knftables.Table)
 		Hook:     knftables.PtrTo(knftables.PostroutingHook),
 		Priority: knftables.PtrTo(knftables.BaseChainPriority("mangle - 30")),
 	}
-	rule := &knftables.Rule{
+	tx.Add(chain)
+
+	tx.Add(&knftables.Rule{
+		Chain: chain.Name,
+		Rule:  netfilter.NftRuleIgnorePorts,
+	})
+	tx.Add(&knftables.Rule{
 		Chain: chain.Name,
 		Rule: knftables.Concat(
 			"ip length > 41",
@@ -60,7 +67,6 @@ func (s *Server) NftSetDesync(tx *knftables.Transaction, table *knftables.Table)
 			fmt.Sprintf("ct packets < %d", s.CtPackets),
 			fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 		),
-	}
+	})
-	tx.Add(chain)
+
-	tx.Add(rule)
 }

src/internal/server/netlink/nftables.go

@@ -121,15 +121,18 @@ func (s *Server) NftHookTCPSyn(tx *knftables.Transaction, table *knftables.Table
 		Priority: knftables.PtrTo(knftables.ManglePriority),
 	}
 	tx.Add(chain)
-	var rule *knftables.Rule
+
-	rule = &knftables.Rule{
+	tx.Add(&knftables.Rule{
+		Chain: chain.Name,
+		Rule:  netfilter.NftRuleIgnorePorts,
+	})
+	tx.Add(&knftables.Rule{
 		Chain: chain.Name,
 		Rule: knftables.Concat(
 			"tcp flags syn",
 			fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 		),
-	}
+	})
-	tx.Add(rule)
 }
 
 func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) {