Skip to content

tun.include_interface generates empty iifname rules #3805

Open
Open
tun.include_interface generates empty iifname rules#3805
Labels
bugSomething isn't working
Milestone
1.13 Next
@TakaiSaisei

Description

@TakaiSaisei
TakaiSaisei
opened on Feb 17, 2026

Operating system

Linux

System version

OpenWrt 24.10

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.13.0-rc.4

Environment: go1.25.7 linux/arm64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0,with_naive_outbound,with_musl
Revision: 804606042f75e593433db76cc43d31056823bbfc
CGO: enabled

Description

When using tun inbound with auto_route + auto_redirect, include_interface and exclude_interface works correctly if only one interface is specified, but generates invalid nftables rules when more than one interface is provided.

Reproduction

Configuration with a single interface:

{
  "type": "tun",
  "tag": "tun-in",
  "address": ["172.18.0.1/30", "fdfe:dcba:9876::1/126"],
  "include_interface": ["br-lan"],
  "auto_route": true,
  "strict_route": true,
  "auto_redirect": true,
  "stack": "system"
}

Generated nft rule:

root@OpenWrt:~# nft list chain inet sing-box prerouting
table inet sing-box {
	chain prerouting {
		...
		iifname != "br-lan" counter packets 0 bytes 0 return

Configuration with multiple interfaces:

{
  "type": "tun",
  "tag": "tun-in",
  "address": ["172.18.0.1/30", "fdfe:dcba:9876::1/126"],
  "include_interface": ["br-lan", "wg0"],
  "auto_route": true,
  "strict_route": true,
  "auto_redirect": true,
  "stack": "system"
}

Generated nft rule:

root@OpenWrt:~# nft list chain inet sing-box prerouting
table inet sing-box {
	chain prerouting {
		...
		iifname != { "", "" } counter packets 457 bytes 26768 return

Logs



Supporter



Integrity requirements


    

  •  I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
    • 

  •  I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
    • 

  •  I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
    • 

  •  I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    No projects
    Milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions