From 16a08cb5a37fc21016da9dce195bdbdbd16cf415 Mon Sep 17 00:00:00 2001
From: SunBK201 <sunbk201gm@gmail.com>
Date: Fri, 21 Nov 2025 01:27:18 +0800
Subject: [PATCH] fix: ensure firewall setup netlink helper behind nfqueue
 server

---
 src/internal/server/nfqueue/iptables.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/internal/server/nfqueue/iptables.go b/src/internal/server/nfqueue/iptables.go
index d63026a..1a153d3 100644
--- a/src/internal/server/nfqueue/iptables.go
+++ b/src/internal/server/nfqueue/iptables.go
@@ -4,6 +4,7 @@ package nfqueue
 
 import (
 	"strconv"
+	"strings"
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/sunbk201/ua3f/internal/netfilter"
@@ -36,7 +37,13 @@ func (s *Server) iptSetup() error {
 		return err
 	}
 
-	err = ipt.Append(table, jumpPoint, JumpChain...)
+	// ensure netlink helper behind nfqueue server
+	pos, exists := s.detectNfqueue(ipt)
+	if !exists {
+		err = ipt.Append(table, jumpPoint, JumpChain...)
+	} else {
+		err = ipt.Insert(table, jumpPoint, pos-1, JumpChain...)
+	}
 	if err != nil {
 		return err
 	}
@@ -97,3 +104,17 @@ func (s *Server) IptSetNfqueue(ipt *iptables.IPTables) error {
 	}
 	return nil
 }
+
+// detect if iptables nfqueue rule exists and return nfqueue rule position
+func (s *Server) detectNfqueue(ipt *iptables.IPTables) (pos int, exists bool) {
+	rules, err := ipt.List(table, jumpPoint)
+	if err != nil {
+		return 0, false
+	}
+	for i, rule := range rules {
+		if strings.Contains(rule, "NFQUEUE") {
+			return i + 1, true
+		}
+	}
+	return 0, false
+}