From f366aa2ce93beffb3e697b80f68e418c5e7298b1 Mon Sep 17 00:00:00 2001
From: SunBK201 <sunbk201gm@gmail.com>
Date: Fri, 21 Nov 2025 01:27:46 +0800
Subject: [PATCH] fix: ipid only for tcp

---
 src/internal/server/netlink/iptables.go | 1 +
 src/internal/server/netlink/nftables.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/internal/server/netlink/iptables.go b/src/internal/server/netlink/iptables.go
index fd1be09..7aa9820 100644
--- a/src/internal/server/netlink/iptables.go
+++ b/src/internal/server/netlink/iptables.go
@@ -28,6 +28,7 @@ var RuleDelTCPTS = []string{
 }
 
 var RuleIP = []string{
+	"-p", "tcp",
 	"-j", "NFQUEUE",
 	"--queue-num", strconv.Itoa(netfilter.HELPER_QUEUE),
 	"--queue-bypass",
diff --git a/src/internal/server/netlink/nftables.go b/src/internal/server/netlink/nftables.go
index 2d0aa26..efb3aba 100644
--- a/src/internal/server/netlink/nftables.go
+++ b/src/internal/server/netlink/nftables.go
@@ -114,6 +114,7 @@ func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) {
 	rule := &knftables.Rule{
 		Chain: chain.Name,
 		Rule: knftables.Concat(
+			"meta l4proto tcp",
 			fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 		),
 	}