[client] Fix DNS resolution with userspace WireGuard and kernel firewall (#5873)

2026-04-19 00:36:38 +00:00 · 2026-04-13 23:23:57 +09:00
parent 13539543af
commit 4eed459f27
5 changed files with 146 additions and 45 deletions
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -56,6 +56,13 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}

+	// Native firewall handles packet filtering, but the userspace WireGuard bind
+	// needs a device filter for DNS interception hooks. Install a minimal
+	// hooks-only filter that passes all traffic through to the kernel firewall.
+	if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
+		log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
+	}
+
 	return fm, nil
 }