Fix: FIREWALL_OUTBOUND_SUBNETS ip rules

internal/routing/inbound.go

@@ -14,11 +14,7 @@ const (
 )
 
 var (
-	errDefaultIP   = errors.New("cannot get default IP address")
+	errDefaultIP = errors.New("cannot get default IP address")
-	errRuleAdd     = errors.New("cannot add rule")
-	errRouteAdd    = errors.New("cannot add route")
-	errRuleDelete  = errors.New("cannot delete rule")
-	errRouteDelete = errors.New("cannot delete route")
 )
 
 func (r *Routing) routeInboundFromDefault(defaultGateway net.IP,

internal/routing/outbound.go

@@ -8,6 +8,11 @@ import (
 	"github.com/qdm12/gluetun/internal/subnet"
 )
 
+const (
+	outboundTable    = 199
+	outboundPriority = 99
+)
+
 var (
 	errAddOutboundSubnet = errors.New("cannot add outbound subnet to routes")
 )
@@ -51,13 +56,22 @@ func (r *Routing) setOutboundRoutes(outboundSubnets []net.IPNet,
 
 func (r *Routing) removeOutboundSubnets(subnets []net.IPNet,
 	defaultInterfaceName string, defaultGateway net.IP) (warnings []string) {
-	for _, subNet := range subnets {
+	for i, subNet := range subnets {
-		const table = 0
+		err := r.deleteRouteVia(subNet, defaultGateway, defaultInterfaceName, outboundTable)
-		if err := r.deleteRouteVia(subNet, defaultGateway, defaultInterfaceName, table); err != nil {
+		if err != nil {
 			warnings = append(warnings, err.Error())
 			continue
 		}
 
+		ruleSrcNet := (*net.IPNet)(nil)
+		ruleDstNet := &subnets[i]
+		err = r.deleteIPRule(ruleSrcNet, ruleDstNet, outboundTable, outboundPriority)
+		if err != nil {
+			warnings = append(warnings,
+				errRuleDelete.Error()+": for subnet "+subNet.String()+": "+err.Error())
+			continue
+		}
+
 		r.outboundSubnets = subnet.RemoveSubnetFromSubnets(r.outboundSubnets, subNet)
 	}
 
@@ -66,11 +80,21 @@ func (r *Routing) removeOutboundSubnets(subnets []net.IPNet,
 
 func (r *Routing) addOutboundSubnets(subnets []net.IPNet,
 	defaultInterfaceName string, defaultGateway net.IP) error {
-	for _, subnet := range subnets {
+	for i, subnet := range subnets {
-		const table = 0
+		err := r.addRouteVia(subnet, defaultGateway, defaultInterfaceName, outboundTable)
-		if err := r.addRouteVia(subnet, defaultGateway, defaultInterfaceName, table); err != nil {
+		if err != nil {
-			return fmt.Errorf("%w: for subnet %s", err, subnet)
+			return fmt.Errorf("%w: for subnet %s: %s",
+				errRouteAdd, subnet, err)
 		}
+
+		ruleSrcNet := (*net.IPNet)(nil)
+		ruleDstNet := &subnets[i]
+		err = r.addIPRule(ruleSrcNet, ruleDstNet, outboundTable, outboundPriority)
+		if err != nil {
+			return fmt.Errorf("%w: for subnet %s: %s",
+				errRuleAdd, subnet, err)
+		}
+
 		r.outboundSubnets = append(r.outboundSubnets, subnet)
 	}
 	return nil

internal/routing/routes.go

@@ -10,7 +10,9 @@ import (
 )
 
 var (
-	errLinkByName = errors.New("cannot obtain link by name")
+	errLinkByName  = errors.New("cannot obtain link by name")
+	errRouteAdd    = errors.New("cannot add route")
+	errRouteDelete = errors.New("cannot delete route")
 )
 
 func (r *Routing) addRouteVia(destination net.IPNet, gateway net.IP,

internal/routing/rules.go

@@ -10,7 +10,9 @@ import (
 )
 
 var (
-	errRulesList = errors.New("cannot list rules")
+	errRulesList  = errors.New("cannot list rules")
+	errRuleAdd    = errors.New("cannot add rule")
+	errRuleDelete = errors.New("cannot delete rule")
 )
 
 func (r *Routing) addIPRule(src, dst *net.IPNet, table, priority int) error {