On new versions, all internet traffic escapes VPN when 10.0.0.0/8 is excluded with netfilter (Linux)

Is it a bug?

[X] I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

[X] I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

When excluding traffic to and from 10.0.0.0/8 by setting ctmark 0x00000f41 and fwmark 0x6d6f6c65 on outgoing and incoming traffic to and from 10.0.0.0/8, all internet traffic is excluded and sent over the host's internet connection, rather than being tunneled.

Expected Behavior

When excluding traffic to and from 10.0.0.0/8 by setting ctmark 0x00000f41 and fwmark 0x6d6f6c65 on outgoing and incoming traffic to and from 10.0.0.0/8, only that traffic should be excluded.

Steps to Reproduce

Update to app 2024.4

Apply the following netfilter ruleset:


define EXCLUDED_IPS_V4 = {
10.0.0.0/8,
}

table inet excludeTraffic { chain excludeOutgoing1 { type route hook output priority 0; policy accept; ip daddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; }

chain allowIncoming {
    type filter hook input priority -100; policy accept;
    ip daddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}

chain allowOutgoing2 {
    type route hook output priority -100; policy accept;
    ip saddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}

}


3. Check your external IP address

### Failure Logs

_No response_

### Operating system version

Linux 6.8.9-arch1-2

### Mullvad VPN app version

Broke in `2024.2`. Worked fine on `2024.1`.

### Additional Information

This was not the result of a kernel upgrade because it started happening immediately after updating Mullvad without restarting my system.

mullvad / mullvadvpn-app