fix

daemon/firewall/iptables/iptables.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"os/exec"
+	"regexp"
 	"sort"
 	"strings"
 	"sync"
@@ -15,8 +16,9 @@ import (
 )
 
 const (
-	ipv4Table = "iptables"
-	ipv6Table = "ip6tables"
+	ipv4Table      = "iptables"
+	ipv6Table      = "ip6tables"
+	defaultComment = "nordvpn"
 )
 
 const (
@@ -119,9 +121,10 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error {
 }
 
 func generateFlushRules(rules string) []string {
+	re := regexp.MustCompile(fmt.Sprintf(`--comment\s+%s(?:\s|$)`, regexp.QuoteMeta(defaultComment)))
 	flushRules := []string{}
 	for _, rule := range strings.Split(rules, "\n") {
-		if strings.Contains(rule, "nordvpn") {
+		if re.MatchString(rule) {
 			newRule := strings.Replace(rule, "-A", "-D", 1)
 			flushRules = append(flushRules, newRule)
 		}
@@ -427,7 +430,7 @@ func generateIPTablesRule(
 	jump := " -j "
 
 	if comment == "" {
-		comment = "nordvpn"
+		comment = defaultComment
 	}
 
 	var acceptComment string

daemon/firewall/iptables/iptables_test.go

@@ -704,6 +704,10 @@ func TestGenerateFlushRules(t *testing.T) {
 		"-A FORWARD -d 10.55.97.34/24 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment \"comment b\" -j ACCEPT",
 		"-A FORWARD -i eth0 -m comment --comment \"comment A\" -j REJECT --reject-with icmp-port-unreachable",
 		"-A FORWARD -o eth1 -m comment --comment \"comment B\" -j REJECT --reject-with icmp-port-unreachable",
+		"-A FORWARD -i eth0 -m comment --comment nordvpn-meshnet -j REJECT --reject-with icmp-port-unreachable",
+		"-A FORWARD -o eth1 -m comment --comment meshnet-nordvpn -j REJECT --reject-with icmp-port-unreachable",
+		"-A FORWARD -i eth0 -m comment --comment nordvpn-meshnet-test -j REJECT --reject-with icmp-port-unreachable",
+		"-A FORWARD -o eth1 -m comment --comment \"nordvpn test\" -j REJECT --reject-with icmp-port-unreachable",
 		"-A OUTPUT -d 169.254.0.0/16 -p tcp -m tcp --dport 53 -m comment --comment nordvpn -j DROP",
 		"-A OUTPUT -d 169.254.0.0/16 -p udp -m udp --dport 53 -m comment --comment nordvpn -j DROP",
 		"-A OUTPUT -d 192.168.0.0/16 -p tcp -m tcp --dport 53 -m comment --comment nordvpn -j DROP",

networker/networker.go

@@ -53,7 +53,8 @@ const (
 	allowIncomingRule = "-allow-rule-"
 	// a string to be prepended with peers public key and appended with peers ip address to form the internal rule name
 	// for blocking incoming connections into local networks
-	blockLanRule = "-block-lan-rule-"
+	blockLanRule               = "-block-lan-rule-"
+	meshnetFirewallRuleComment = "nordvpn-meshnet"
 )
 
 // ConnectionStatus of a currently active connection
@@ -1080,6 +1081,9 @@ func (netw *Combined) UnsetFirewall() error {
 	netw.mu.Lock()
 	defer netw.mu.Unlock()
 
+	if netw.isKillSwitchSet {
+		return nil
+	}
 	return netw.fw.Flush()
 }
 
@@ -1456,7 +1460,8 @@ func (netw *Combined) allowIncoming(publicKey string, address netip.Addr, lanAll
 		RemoteNetworks: []netip.Prefix{
 			netip.PrefixFrom(address, address.BitLen()),
 		},
-		Allow: true,
+		Allow:   true,
+		Comment: meshnetFirewallRuleComment,
 	}
 	rules = append(rules, rule)
 
@@ -1480,7 +1485,8 @@ func (netw *Combined) allowIncoming(publicKey string, address netip.Addr, lanAll
 			RemoteNetworks: []netip.Prefix{
 				netip.PrefixFrom(address, address.BitLen()),
 			},
-			Allow: false,
+			Allow:   false,
+			Comment: meshnetFirewallRuleComment,
 		}
 
 		rules = append(rules, rule)
@@ -1512,7 +1518,8 @@ func (netw *Combined) allowFileshare(publicKey string, address netip.Addr) error
 		RemoteNetworks: []netip.Prefix{
 			netip.PrefixFrom(address, address.BitLen()),
 		},
-		Allow: true,
+		Allow:   true,
+		Comment: meshnetFirewallRuleComment,
 	}}
 
 	ruleIndex := slices.Index(netw.rules, ruleName)
@@ -1692,6 +1699,7 @@ func (netw *Combined) defaultMeshBlock(ip netip.Addr) error {
 			Direction:      firewall.Inbound,
 			RemoteNetworks: []netip.Prefix{defaultMeshSubnet},
 			Allow:          false,
+			Comment:        meshnetFirewallRuleComment,
 		},
 		// Allow inbound traffic for the existing connections
 		// E. g. this device is making some calls to another
@@ -1708,7 +1716,8 @@ func (netw *Combined) defaultMeshBlock(ip netip.Addr) error {
 					firewall.Established,
 				},
 			},
-			Allow: true,
+			Allow:   true,
+			Comment: meshnetFirewallRuleComment,
 		},
 	}); err != nil {
 		return err