From ac638f32c03f42fc52269caf0e049f551f55bfbd Mon Sep 17 00:00:00 2001
From: Anton Tolchanov <anton@tailscale.com>
Date: Thu, 9 May 2024 10:26:57 +0100
Subject: [PATCH] util/linuxfw: fix stateful packet filtering in nftables mode

To match iptables:
https://github.com/tailscale/tailscale/blob/b5dbf155b1b0fbd5947160d8bca4085c6ff039a5/util/linuxfw/iptables_runner.go#L536

Updates #12066

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
---
 util/linuxfw/nftables_runner.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/linuxfw/nftables_runner.go b/util/linuxfw/nftables_runner.go
index d239ac12f..3a205afd1 100644
--- a/util/linuxfw/nftables_runner.go
+++ b/util/linuxfw/nftables_runner.go
@@ -1773,7 +1773,7 @@ func makeStatefulRuleExprs(tunname string) []expr.Any {
 		// going to our TUN.
 		&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
 		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
+			Op:       expr.CmpOpEq,
 			Register: 1,
 			Data:     []byte(tunname),
 		},