From 9de776f21b590ba19152d0aa65c5f149c02bf834 Mon Sep 17 00:00:00 2001
From: SunBK201 <sunbk201gm@gmail.com>
Date: Wed, 10 Dec 2025 18:18:04 +0800
Subject: [PATCH] feat: ignore zero ipid packet

---
 src/internal/server/netlink/nftables.go | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/internal/server/netlink/nftables.go b/src/internal/server/netlink/nftables.go
index 8339d77..3d719f6 100644
--- a/src/internal/server/netlink/nftables.go
+++ b/src/internal/server/netlink/nftables.go
@@ -32,7 +32,7 @@ func (s *Server) nftSetup() error {
 		s.NftHookTCPSyn(tx, s.Nftable)
 	}
 	if s.cfg.SetIPID {
-		s.NftSetIP(tx, s.Nftable)
+		s.NftHookIP(tx, s.Nftable)
 	}
 
 	if err := nft.Run(context.TODO(), tx); err != nil {
@@ -135,7 +135,7 @@ func (s *Server) NftHookTCPSyn(tx *knftables.Transaction, table *knftables.Table
 	})
 }
 
-func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) {
+func (s *Server) NftHookIP(tx *knftables.Transaction, table *knftables.Table) {
 	chain := &knftables.Chain{
 		Name:     "HELPER_QUEUE",
 		Table:    table.Name,
@@ -143,15 +143,25 @@ func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) {
 		Hook:     knftables.PtrTo(knftables.PostroutingHook),
 		Priority: knftables.PtrTo(knftables.ManglePriority),
 	}
-	rule := &knftables.Rule{
+	tx.Add(chain)
+
+	if s.cfg.SetTCPInitialWindow || s.cfg.DelTCPTimestamp {
+		tx.Add(&knftables.Rule{
+			Chain: chain.Name,
+			Rule: knftables.Concat(
+				"tcp flags syn",
+				fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
+			),
+		})
+	}
+	tx.Add(&knftables.Rule{
 		Chain: chain.Name,
 		Rule: knftables.Concat(
+			"ip id != 0",
 			"meta l4proto tcp",
 			fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 		),
-	}
-	tx.Add(chain)
-	tx.Add(rule)
+	})
 }
 
 // unused currently