fix mangle rules for incoming traffic

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950' (2024-10-26)
  → 'github:NixOS/nixpkgs/7109b680d161993918b0a126f38bc39763e5a709' (2024-12-09)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/18536bf04cd71abd345f9579158841376fdd0c5a' (2024-10-25)
  → 'github:NixOS/nixpkgs/a73246e2eef4c6ed172979932bc80e1404ba2d56' (2024-12-09)

flake.lock

@@ -76,11 +76,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1729973466,
+        "lastModified": 1733730953,
-        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
+        "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+        "rev": "7109b680d161993918b0a126f38bc39763e5a709",
         "type": "github"
       },
       "original": {
@@ -107,11 +107,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1729880355,
+        "lastModified": 1733759999,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
         "type": "github"
       },
       "original": {

flake.nix

@@ -59,6 +59,12 @@
         inputs = inputs;
         pkgs-unstable = import nixpkgs-unstable {
           inherit system;
+          config.permittedInsecurePackages = [
+            "aspnetcore-runtime-6.0.36"
+            "aspnetcore-runtime-wrapped-6.0.36"
+            "dotnet-sdk-6.0.428"
+            "dotnet-sdk-wrapped-6.0.428"
+          ];
         };
         pkgs-4a3fc4cf7 = import nixpkgs-4a3fc4cf7 {
           inherit system;

systems/LoutreOS/network.nix

@@ -88,9 +88,14 @@
         ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true
         ip46tables -w -t mangle -N loutreos-mangle-pre
 
-        # Restore the packet's CONNMARK to the MARK for existing connections
+        # Restore the packet's CONNMARK to the MARK for existing incoming connections
         ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark
 
+        # Restore CONNMARK to MARK for outgoing packets before final routing decision
+        ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true
+        ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark
+
+
         # If packet MARK is set, then it means that there is already a connection mark
         ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT
 
@@ -100,8 +105,11 @@
         ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2
         ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3
 
+        # Save new mark in CONNMARK
+        ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark
+
         # Jump to newly created target 
-        ip46tables -w -t mangle -A PREROUTING -j loutreos-mangle-pre
+        ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre
 
         # Save MARK to CONNMARK.
         ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true