From f65e6cbd215e99f34d256c6fd5d944b10b82c071 Mon Sep 17 00:00:00 2001
From: NHAS <jordanatararimu@gmail.com>
Date: Tue, 2 May 2023 17:04:52 +1200
Subject: [PATCH] Fix rule ordering issue, add test to make sure I dont do that
 again

---
 internal/config/test_port_based_rules.json    |  16 ++++
 .../test_route_restriction_preference.json    |   5 ++
 internal/router/bpf_bpfeb.o                   | Bin 9936 -> 9696 bytes
 internal/router/bpf_bpfel.o                   | Bin 9848 -> 9776 bytes
 internal/router/ebpf_test.go                  |  81 ++++++++++++++++++
 internal/router/xdp.c                         |  10 ++-
 6 files changed, 110 insertions(+), 2 deletions(-)

diff --git a/internal/config/test_port_based_rules.json b/internal/config/test_port_based_rules.json
index d76076b2..3d5e0521 100644
--- a/internal/config/test_port_based_rules.json
+++ b/internal/config/test_port_based_rules.json
@@ -36,6 +36,22 @@
                     "6.6.6.6 100-150/tcp",
                     "7.7.7.7 icmp"
                 ]
+            },
+            "tester": {
+                "Allow": [
+                    "8.8.8.8 icmp 8080/any",
+                    "9.9.9.9 8081/tcp 80/udp",
+                    "10.10.10.10 8081-9000/tcp icmp",
+                    "11.11.11.11 7777-8888/tcp 90/any"
+                ]
+            },
+            "randomthingappliedtoall": {
+                "Allow": [
+                    "8.8.8.8 8080/any icmp",
+                    "9.9.9.9 80/udp 8081/tcp",
+                    "10.10.10.10 icmp 8081-9000/tcp",
+                    "11.11.11.11 90/any 7777-8888/tcp "
+                ]
             }
         }
     }
diff --git a/internal/config/test_route_restriction_preference.json b/internal/config/test_route_restriction_preference.json
index dbb4c98e..0fd4abf7 100644
--- a/internal/config/test_route_restriction_preference.json
+++ b/internal/config/test_route_restriction_preference.json
@@ -53,6 +53,11 @@
                 "Mfa": [
                     "1.1.2.3/32"
                 ]
+            },
+            "test2": {
+                "Allow": [
+                    "1.1.2.0/24"
+                ]
             }
         }
     }
diff --git a/internal/router/bpf_bpfeb.o b/internal/router/bpf_bpfeb.o
index 3645c640b7779ba9fbfe113a81005c13e19055ac..09676b1048c497fa014aff4f1060e537a0422b9e 100644
GIT binary patch
literal 9696
zcmbtZZ)_Y#6`wu({y3z~rA@$T({`Pf^z78`#c`_8*6t;Z+eC8WBe9jVqFP_?*7lO~
z{dZzFDO{sMqtXwCf)qfgZYiV{l`!xjMHJaWLXDt81{Enn2n<xBf_|{73M!~LesAW@
zd2ejDNQ|`m-tWDcH*em1GrN2D`Tl_i0s%|Zn<f4U-Y2MQ!0ecnD8ct@gmu}Lyhy)L
zdy6>GC8ob8dU=HI!b-J?W@1vC=`O_lZbid!Nw;)%i$4)pWcdjt-!vQ-e}K5TxL>r8
z{_+gng*f$cP1;YtSbLjr@zZn{;!IMKzzId~)$?rHE9C<7yh+^Fgb0CHpb^l}a6()Q
zx_SP7+|j}bNg|yG#IJ}8q7PB_Hv&7qWO<mVF>VXSy-srPSrH%#e`S2UTL}Tbp!`Q%
zHWEhMt`bcZMO5NTDvt9VgfOoyM6Fi4+A6hDByV3(tTkU%%y3o3$r!ivQRB8&#Sh4W
z_YL;zG3C$MOSMIk&ri`EeiS5$n)c>zmvW)~*($^(lAN8by(;O;wJSt*y<FyXoPEBw
zKys}A1EPlCADHuK`|~r@TZrKqRjbI)*9o&eIK7P!@*EZ05w}`#pUkfqi%W5&7!#X_
z8|;=?0Lwg#*%C*Jhr~6+4c;cPV0m<q^9OqyNK?0WNPLX&U=Q6<kB3wqiYH}#iLs;<
zM+S!^)i^qMyaC&T#}uBo6}{z?ie6TJTfJ>+y^O`#Z>#v}cyL_p^z*f48aaJ~${+B1
zgw1%ak+%Z%GxD%JA0=r$z83PjNEmtkEKxmAakKL8gzDcs92GlQFY5sHE*tx44cojP
zwm;pW)-!mW>c@60*m;B`$dlZM^*pr-x&H>)Zn0IJGh@nL1bISfATQU`9r;r7sJ0Ki
z+@JM4#zYhKtJlRL<sasiP0zbtU9jHP{%o~Hfa(vlpA2+<MI0oGcr6h1t?%Q6=iBKH
z%IiPF>nJ~=>erA*A(wS($Xg+o^=!y($Yq@x@)+c@o(*{%a(V8S&#V1%#+L5w1EzCR
za2`dfL!HC(GMZT5)2co;Jt6xG#MvSa`$4w)e&G7wniMjF=qK}w{Uh^QoKpELUQ~HR
z9%O!s7dUTKX)ZE&UfIPtCg*u1LZyj(7g#^7^z*!*PS_Ghkrz4N{8LJQqDmC`s*26T
zp&sSArTW)uH=S2`;O9#Oe#<yaKg|7-YWxW~Z>`oj$@Lf~xrpfVK|SAUwcfo-AC4;h
zaFov7W-%|l65?x8Tz`%Rf<m2>2Pacm`^e#;J0DCAa2HxPJ!4U+L>e0Dw%~$dm5%CX
zJso9}2GAO1TtQ{~`*RYuDrCJ4HLeYvgt-KWSQtzzp?+jT<_?tRB;LkFbx(W(myL_~
z5nL28;;XpsV}2I&C>cT{zlPW;;%!`Hm_#&Z3K#J%-O!prZBP#zgG4wNT0GWSpwcW&
z$c-@V37BljaX+4?<vhJCpwZrds^u9ds9v{&zX(eG&|1EQn;!FB<`a<9vzFu|;D5?|
z75wYW&w~Fg^9$hr$n(*jruqJA;D0pY4M79jc-Zk0)c%JZtZPFIa`si`1Y%l)s&VG!
zbCP*grPOCCQ*b6SB9p45<jrw&3ON%lL|$&J<d(~hH|pgw?vyA^ImJnL(sdMc8?}xz
zxu;u9=E~k!&du0ft|HQvDHy59dCsK9oKdgjo=Ii1BoJM9;@*{}4mLUB?+`0jN|R|N
zpUBu9Fw`z=G?se>+bh70(Y)PjpN&6$k5rz{d+1B6p@l#bQ<C;rHlG`7hmp=ctu;ri
z-&^(cM(tSL9H!r8?{2sIY;8_?N1ePvXWwbJRQB>YyRFymVU6;(v#(IfSIBAVCi!$e
z%QNUM<x<)y<VzLwiYpaDdsh#wc-&28+>(=Zb7Pfpa+%C{<5{}{6RqJWxd&Ixk*hr~
zpYbZ`ab-`tr97vo)4C=zg>hOn7Ok^GqD;x|Xm5;y9^s`YRt=G|4;fQQuNp$4HAZm$
zJNqbHNC<)<E3jS0q@2oRN;)Dsu$gjYb<d2iCs$X-J?*7kRNZ8$<mM_4<6isG!l*Nm
zDmdAE{?uf_akK73Y^Tze@340oF6rqJJkwIIeROzWU?sq&{(qiHEs1B+fj6z0vvF}X
zxJxosKxBntf}JnxRBkgJ=6XHu>9#w(^8R!>Kbflx<kP3H<<|*NN_9fisMj5KqkElw
zlVy~&m+^&bm0|x1WR`Kf;6%cV4LhX6%cas4@3dE$b}HV4o1dgjv}V>;_jD$_++@X-
zi6rBGf7UQ-xP<-5>l(tuJnJcP!WnZbPOcnddvJfB?UkulW>ESUTgz=69gZ`6_~_7G
zJ<gH+CmqM$xf3Ule~wN)BNu3AUp7^)BvXiTh0J4@_aaHFd~at@PPx-vg_1k!P2oI&
z$9uX}c1cbJ01?-LlB>g1W~-3TdTGz40$DS<TJKa+k7nJEN;z*kIcVDMNEHgOP6Kfa
z*5`>ePK@}-Eo9%frUwn3u{E)#cKdEQL@kDnv^6L4=ao9Ot<?=@H+hCCn=ZKaPCGe#
zVBqlm?JFCaMy}c)=g#>P4`l9yGWHyv8~sxSuQYA<qPp#K=Y-zYZ7Wr?GLdPbu>_DG
zU&W}Elexx-bKp@dYpoTBK1FY3Fs)4u>GDSb?j9c+Os=@*@28%6YC*OhtcCT1NIrR1
z4CsaH{tY2Ne)#Bv1O1JijRD#G8JsNYv}>HYQA0f%4f$PfnDyBHqYv_=qxq72<m|r7
z_7LazJs|hmv{#dZD2BuR$06CZt6e-U(&MR;aGd?ej_rTQIez%zerM>RWWVD;hAMJ%
zWmo8JlyOG|6_r5DowE0sD^91fc;%ApL~06eHkA@~o}lN@Xf`!g#tT#q%Ovb&rbKRX
zBIV@r8CURwNi?3nLPir7)ZWBs^T^Z(q0qj;bQ$lCg1;AR;?d}P16MPC!)soa67~N5
z7<m1jO7GM3zDcqpxTt*&*B3?PE#m3@obdNW<Q;lPjWK>h1Ye@BX!?F2{eML875eJi
zr?3?h!7KD_c*uw8JwD0!hzKs>-B^BuV7x_`^y91_6T$ax06)d}X%YP36X2_iNl)v$
z!1y~N)O;)W86UnK{4C>Ni_mr&Kj*_V->V7-!XgyMw~AO~+$KUv`gLH*hsob%#>YkI
z3V!XdB8;CBp&9hIT74M(En8vSWwR0>Sa0CRBD4&DEsl@Gh?kXQ{a-}rJ<^}_VbXJa
z>f;Ma-*k-#--h^GGmIY<;TYCuT~ru%*{qj9Fn`l|{K$&<T2~mqA;LZ6?;_)65l(Ic
zzN&EZbs{`~Zx;Igr18yrMR**)Dp>FP@Xc6PE8{PVa2E3i5{!Q+!cXEik-$lXahEMH
z0z&p)7vT$S&{q`>wu$gFG@jQJ>=)r#_!GFu`l1NGg1G{-KHLY)>kE=Tg>~|L5)T4%
zyd*9HYkU6|;RWQgiS3217vb0NdDk?j?1y%V@YNfEIX<B$MR=(Lc!~9d4`LmFw4TuW
zBK#KoZ;mJ&z6m?Y28Pe1m-r4~$m*E-#~2?Mk&VblbJB-z24?@mq{sJqP>&~k3^?xV
zkMY3-<4Ypa1N%XaNBA`nNnoy!_UBy@`3!7@4ypc;J4Iw1<3oCWt)F522@$E@0{yJQ
zxXTur1Ht+t7e(Zm+n`_YVf@w;y2AM9BJx%2&(KvLMm!KVIlkpu5qSmU!+>N@VvG;7
ze=T>5$N=gg%>GG?{Tt@>wTy|D?G_DQuQefgYv}$48Ox<D-Q_nca(M=5`A=5l@+@Gv
zh1$?|tON^*yoihKTQ+#z{sl(Mm$VS{7b|kP7g%NOSdlkfU?Gto`Q%j+sAkdcL~E_<
zdn@wbKJHB9&nt3SgRHXXOlCXu^N()U25?&5s->X6^T}sd<QAQ++8@fPZa)K~?NBY~
z_AVIRe_RVe55f@3wKO~hu7`?EOPJDcF6Vr5!qkXv^T~&#RLLiNavdM)pN5>C7ygF*
zLd`1RM$bO3KY8Z*F|CV!k7Ipc1Ux;P7|S!Kbp>0mfk&;Y!v)>m1W)#waiLjDxRE`L
z-vLkKHKzH<K4XD>Cg;*PVPM)*<crpi7?{@Q*H;ZZW8hf>&lz~Zz>5Z6GVpREmSOYx
zV?_<UZQ!_p69!Hic*MX316K_^W8hf>&lz~Zz>5Z6GVpRErmgMIM<8lo+rV)HCk&i4
z@Q8s62Cf=-#=x@%o-^=*ffo(DWZ>mSEVsWe|4mUtZyPvn;Dmvb1|BhR!N64m&lq^t
zz;gy(Fz}**mkhkzh~+l*t-m>H=xqbX4V*A=(!e7IE*Q9K;28tY8hFmY3kF^^@REU-
z8?iiw<@#^F^%i?ao9L>zQx(xwa<g3rh92l5Ait14<V#9_iqRnY?c4mlTXbc!rzafx
zxdlI;`#uYek2T{{t_$Ds_=QDum8T~pWuL^rfdg^pQ;Kvm-OY5L67ONU`!0oh_OhI5
zH`AUT*6&etH`AVO?$5MmH)E#Vaqb^SIREeVC0H<?!`fzBPH|SZmN2E9=|;T9=5srt
zI~i0zpGcg*^%3Lcdja*;EutCFdvW3YShfUHCO5v#OcHb>F1=1YJ_?zOOV6+M5K#-i
zs%ZVcABOe*gy~y$z42FgK!K?y{`EiS8?W_DBl{GyvC~la$A1&Lb=JR~$IEYbTEBcL
z2lcO?{_ocQgY~y9;|c{SPX6YfpKPu-{{=Ouc?p!}*ZutS59ezGGVWD$Xl!jf|El*v
dzrW97jC_zbjwQ5hO34Bge;Px%qNe9>{Vx%Ox$yu1

literal 9936
zcmb_iZ)jY{5#M*x{gLa$m)1^|#BH7($C2bnKFf;hIFWL8EXM}Ly4q6hl(z5AcTdv8
zr@PbL$(CZL5wr!9nji=*fwZ;a2JAv8PD^npDH5Rt)0S405Zuxas>uhp4MmhdObA?m
zvpXy8t>h#hy71o2Z)SFOc6N5(dnY~L+jk%oa>P<|#E0Mw!IB2d1Je>E`F@93d)1Y^
z$X=}7B<{?`+5*$-M6c2f{xX|HBQcq~=q|+U4n?C0N!Pb`iuZ^cWBD;9UpJT#|A4r0
zY_Dh{{naVD3vu#tP1=M0opAOwHU8LF2?=pJB}wR*qL1tG);%KS0^_|)+=isM6T|@}
z|B*q3@0xv*v_eFalEm8giFx9J?}!jlJ$~>2A>fNDjxc->w)(F}|7#=<i`s`odEPO^
z@jJrE&sw6$qs&`oOvEL=r1Cl2MhN{}A!@bS^=7G+B6<6sVx8HvVg}PHUsk_`PwTfK
zEq*~Bf)~_$GS8}bW`C&sMyDl>+kR$Sm0riOL5QD`<jhQMPSQ&?IsdCJA*>_Ef9BQN
zJYmfHW1?2PAKT+-|Fb2s7GkiZYBemxD}-4ep8O&qtZ!UwM80ZcyW~2H;e-^&#<q%e
z#PxSdEP!SHhh2$dV+X_?#Px5HSg<_a&+83;Ye=)??|}Fm;r=eVqmB=#{EvN2#0U?k
z=q_UY1CnYS?>}0H-TosA&$^1<|Dd8*RoqVZCN*Ei;>=G~{&YS#uWt6$+9LIwyjSHN
z_yfXrK37?{EZJG>us9nh=~8|jtnar7kHu9y$CSQtFfKNe9OKRrMP19raXEu7$It#I
z+f@AhY<J9+=42-`fpwAlX=z>V7E!X$_G5Reb7ffhi(y?*3ebOn?#R26$NN98F!XZ&
zF0I>E(LkD|Iyj)>!??2Pac@@#tao)h8(a~hdIQ}<4%*A&QKHDlJW<Y*gFM|$c=jQ>
zgK~VQc^;LFs#i-Mhg{aBC2xjY)~_XZA(wS&$y*?o^=ru!kjrznazgEo)2<9}H?XW@
zUPqB>Q|Ik$QtHLJy^4+vaQ?a!)_Lydb9X~R$ejs0nfI~%ydKI=tiM<F+mKX#zPUxk
zq0iG}$}SGQjDMY@?8jWS?x;ukoYD25*Zrz83*kJF;~$$ML9O<sW`R<sb6LoW;pa{a
z&m9?Gl-FZ0Ub}(E5ZTf5LM)9N=W$&g*Cj3Xxvu9ag0)(Ei>h117a@s`4{@t{=JnTc
zsyeCFx|?~wP$xX6exRt>Kc30EPahiC{#2@uMU)Aedy670RfKfwaX~NBV=AehZl|NY
zLLF%BIn&_K{(V8hW`&%aP~%!7_pIDtLawWW&NN@LBOfxSpfo1&E-u;!#3ymNxQI{V
zN-#eK`ULYcpohs38pSohK@sobBF7}6F*CS`_vwb#2<n0c*eE2zQZ~KFItNs`rNOxo
zrW%9GrkB``$7#AGivSAfp=x>q3R=gF;C};3c4$p+<EH!kf%zol?=qhTe}nlc@b5D}
z1O6lC=MY9Ck4JkP<E>e1;rlGyX5n5u?05?5Jb)j}Yt7S;bF6YrAf`E}8fRWUCz)5f
zfovvnC2uq*a+zvI-aNmckT>c>6cmQbex>3CLqQ?uPl)n_H#Y8%`<{Y+z1H)_cXo>L
zLM0e3_&GNyR7JKr0Vh>C&gsmsHx!ip)0upp1fpYm$9B+;ESb0zifPhPsg}pHN<Nx%
z+u*8IxM(a7N^Vd>AVWpB+dY$b?lGx6RSaND^P#Cg)1oA;E%{<$xD`&?d$iW>aeHfJ
z84S5COYSiIHg`v>+v93?DmpR>O6@(T{Bk8I7TitUZWn7*wCz2ma<NK5lbPhR#XOIo
zO>&j0S1OjPuu52}N;zw(koR3(l#CHSlk>}7-Y*PSM`$)QLNJnd+YrMlbD+pE3%lpa
zNmWh<)$EA!rz2LAq6MKTkLOAwln~@YFC2+-Ww))hK0&%iHM^n*i9Vr6kR4soMaov`
z!==&QL+Qd=AsMnfTV+lvnOv@{Gh*g^g=NmL<igAOr-H1Hf*dcG{X*4a-0hwy4SA!P
zl9w+QPmY&7KktvWY*pII!|qlqBt1NmXM5^)4-fYBEhpI4f98>>jDix6q!Vv@vq$5)
zs|%N8s({D~<pjrqEMd6=b()olOtjk;RQ6`G#qmP5ub4fF^WZiK$|xgbjjSGa>%(jB
z8LyzEgPf7B6^_jrsKMp=gb{i3s2$Q46f)Ura4M)ydevamFOJjxT6NV{T6&{FVZ7?g
zg`~64jAs?MR!G>NJg)%^%%h&9AiQC}>J=(2><^Ldc7qC8<@#lOEvto%Q^oTJ4;>!Z
z)#W|C_qgY|TesqHGRJ7wBXWVZ_vAB`YAS;)SIIqgc{dhmMeMB{$w_~*qg3{Xf(e`_
zh<InGT3wP;0YJocpycYDm8(@M=7VhDQ-Q3SU9I=3nG<>c)0UjKo$NH}wq;5sc&Cmy
z2A9TZsUH~mkz2@pV$}%hjIlK_r&f25?4l+^N7||bnd?eMn^rT!u}+bp$|g&`yVXq%
z?&~}BWb5*Vrk*SI$Jw*y!UNemp@Kb!M@sKRDJW06-KcK&>{+3=^`_;jSsuuCQC|XB
zAERQ_%*kDS#yRmQmeuBpL!Yv@+?nR4x^$RXK)6Q-`cuoHnRe=ds3zp<&RV#15XmRc
zvI9MFZC{u2qlXSZ)z|wOjgRa-{1n>`70dETv16ATAU%o4KpuB#i>3OphKG8OLb7dJ
zy<>``>{rLjg{7(Ii>GmH$)oh~ZcGV}a_mqJb-Yy4O6);WB7e_`>`108Ja6xjBYU6m
zjvo4YuQ%{as@L-%LpAw@iZAqb%K1Zric28(UL|<e7pF3Lyq8IKG&6yhpK2L9P|)*e
zD4!Xw;2o=gK?w)B2~ijy&3J`k&KLZE67}b>kfFkZ+N0=gAD#L@6goDzuIMic7jK%>
z=!*nb_+ea05}?r=`Lnq6n=HL?(;F$t<d+BNw{e{lu|I-Hd%|ys*gNzV+k%VmpG5dF
z{a!_17{G8Be*Ho4yBW8M@HKj~KWO0;<9-odpf8xTfysV^aUjAU+zWn!@p%!xMPHp$
zj4z4s$Ar%@CVQIiG~>5Lr11gpFB|wF@G}M`{bk1g5s{7L?@a?!JaY<%wundqUpwMD
z;~o)7(f8&}1JisK6~<jQrx^tK36(@-8um_$fno3LW_(dZuHoz1Imq~35m`ih4(BUG
z7+=}Waiwp-_t^)ePaBx@C9D4g>)S+h3)aVZnep=?+JgBxGYaD_n{x#O@itt*&#TD4
zGtc;+BHBgqURSvB4iQb=1H8a^yNLGTtB1Z|sej`U5gmCF_?Cgcj65_m{<(<eF@7k?
z_|GExUHr-tI<7G8vW3zh<nKKZJ+}$^DTTv5B6^<sPcuFtqBDpm^fKcYMf7!y6`C<{
z5AbCJXE0A5FHH9Rz??sc$AH;iq*+Agus#j!FOm?^xA1}3!1;<C6w&MV0du}0uZrkG
z8}Nb}PvZT+w-k<U5YhJ#e<L8xFS-Xi%>|Ab82h#{ZeX&<oTPn8#MWXx8j}V_ejC#U
z#utBB_a}So@33p=(LbDE{96(0g8wkrU-YjcmTUp$cwr@5gzktpwob&p;i3q+f2>c$
zM&K{9+tMFrTotjY`=K9U{3{VVzXf>0z;^*pG1mUiDU7>pk$Dgr|AvUoQ2*-&rv3{G
zH{B^>eW-`XO#@^9MsBe^`;WS;e@w(KZ^JrZ&g5UWXi4Fw^P-7<{P^VNbV46eHgadP
zxkD#~mLFsxksF4bBGv8JVAx((ILjSWl$JM4u@J<e-&okb;oP!Z{C-(3D}`0g=4E-9
zW~|#sVAxN1Q42x;wJetvpjB@h@)0crea(>5ig9!3L}&kUrL>%6T5gW}UqenSr`zAa
zuzl1V_b-N=R!+BHf?<1kLTmZ!%W`>AYdQUZrtOzxV6rGNsOlQ3UYv!zk)`z84>h7)
zhFl6+evcs^U<KKa8uHzSd_M}viYGdu^bS#aa&dLa6Wqj<H~M{$^`SKQ=4C8TFzghq
zcisXof6oO)bKb#?{Bd&@z>q&~&ii1fKR0>elYiZCipe(-jguBmSvYNBT1R@a>ox_(
z#M2g@vG5fO&slih!V4B&tj98q#`sR$(z_N;SU73nl!en4E?IcW!qXO>vG5fO&slih
z!V4B&tjDqpjroV-mfp2+!oo=lr!1VdaLK|`7M`~7jD@dQc+SG}7GALMVm+4I-<W?x
z+|s)iPFOf;;gp5b7A{$M%EHqYp0V&13(r}2-ogtOUaZIRm^0=t-%w2KTJ{MGCoP<^
zaN5Ep3r|^i+QKsyzGC4y3(s44!NQC6m_7o`^GCj68S@XjmOf$Oq=i!&&p59*KX!iP
zTyTEkh>og1Q579!Ki{!$;6Mif`HA-lpMv^Zk~+~Z{Pu79q9dO_HR{ptM))Iv@m*_u
zZCc-=9r!^4KNX3N%H*h|9FyqVw=d!Cd{oihihM<p9ZYxbQn-_8*CPsdb+H}OojY0H
zsVM%EA-#9)P_&cj4yIiRwqx4KbO$B-|Ip}==jWxUd*OjRc^m)w`A=%H`IP?p`Az1s
z#WVxz<I?@D_l@YAY)9`MX4Cd0qk7cX?thItm6&Q`#(%-+uk}o0yA?xU6Ln3GM?(60
zxrq(K^)Dz8P8&jEP5YOCt@j;meb1ueLgzr&;?nObI)C);@i;Dg&8*foPOy~rT@;rd
zNB56IM*jzMyZ$<Vy1zUSU~l#(zqjd+zn04;zr4s!*O%FUuvqJp>o%o~jr-<<3~26V
YGxPU-D6DnYrke*8=j_oErc3?*2lUUu4FCWD

diff --git a/internal/router/bpf_bpfel.o b/internal/router/bpf_bpfel.o
index 3e8794d3d2d94bf45593ca9cf62f1e0906f439d9..60aa8ff1633abc832b0ac289ebdfd42fc9fbb02a 100644
GIT binary patch
literal 9776
zcmbtaeQZ?65np5MJCm5tTmzIO&p^o8V8<8-kq?L=A%x1o7GOcDR?nBaXZwlseH&~b
ztqY`~ZT@ijp`uh(oTzPx8mYAX1FELARjCTCQpv5_idK<oHIW*%`NN8$HfmAb-|Wnu
z_tu6)>PpW$znR(Dnc3OBw+}wQxAU<@RaMHgD)lclhYVM#ne}sYhbB8zJv1*bVt%se
zomrxiP1Dl9rTfdZO501UT&xunD_DPG759;9rEUY+yy0!l$P51n_%q=2R8Ol8^!eNB
zwEQx6>evfxKl!P5^*s5Q7OVamrO2ft=pRCF=2>=#<;@%ZsEOF(TJ2YCaa6%Y)w6i1
zBG)F`SuX;2qad3%PH9Gs)>4Z6)%*>=5q?DX_Bb8S#$RcEct0oT*bAJWuuZeou_pFE
zvGP{UNH$&5aU^bE&iEwfapGmxkHE~e+1c6E&f+`+F|j7dDYTv_C&(T*{V~SHqCeK-
z!&k+xSJ<CZC$DP1CZ5$|6+yV<q3g#)f#t@Zn0i$+PA$2j$Dev(O82H-E=wGz)=p}E
zvgta{W5s*@W`0W@^whDT8ucwbAI*=YS0m4BsA5&?6wJ)#&+>qNS-<=lPFU9l*2|x{
zMHBtVGfDF2mT26yhvmelxVvQi@@MO{plt6PuVdFEte-!(R1^7Uma!h3BD-CCSx$AT
z?cFzrJ(AzecmnfLyXzqLm*F=>x^pGROPJcJ2RMHdk`KzO2YzzxjLzrCOT2!`wI68w
z(d)(wY1hvT@;AZLs%K!E$Wu$$ZcL?tkZ+kMFZ=rllxWBIRIL{|*Fj>XhKl?oJ3Wi&
zuhN+Mk(W81t_DKb$40Np*EoNM^~>w@1<h7nVmJQ<PE0@4^g5p9M0RauJ>u)UH!#kh
z#X_K!*YOOWQ{}oiN2deo;SBF{Gw+S+g5)0bjX$wPi*)_P7VRT5s=4to-H*J)an8l}
z3C*AQs_xW;_;&*S?f|Q}n(N5sw`xAunaz)DKG&zs_cWjD)aI|&e6D|+PkAb?=6z6%
zQ#O@4f%u3j#<}1|UgCZI7W^drQ)^|P15-=9%;)ojr=c3T$aS-fCPmAimHrtXK>LF1
zcgenp)p%MVf0px~H|y~%uUr00yk7Y;yw3Uavi>ll?ZnxBEXwvjJ4&ZB)*I%u{F^MF
zILQ4Gn4vggi`f3eu<)Tgiyah;l9cL{<Gdrz`KR9-vKOnNzo=W-Cw-&Wd=J|*b!N^9
z`kk}&c5dK!B5;>1^;G?7mNwEvFIiRU8{8@SU8RU?6rY=q4kgmw6Z;R}yRW;GR47`q
z6eqwYiPDW^lm*RpWK=ablF@vmPJVGVK}dV?A5}`0RJ{u!J<VJ?q=8+)W8n5;(jyzZ
zQVQ=8Onc~Q7ZAS#kB5ioUOcTrkD`BA=yCK1@SsJ>ufv*DRYZGClb`jpgA;f_tAP1N
zrz&Lrt+YBJm$ZHxf`6n=O}k0{QaI#mM)b@)XBaP~js`sk0?WU69q0?7NsrpMh4w&y
zPv{QNKNPwb^v{GI1^tH5<DmZ_^d#uNfJR$NJDKMDn}h%9;2K_svc3n5ar!{vUC(jF
z!H2J!&!>k{6a!Z{(|igs%{zf<HJr-%gDI6tloI-nA7mK$g8^7!roRvri+<P_W>Ueh
zDh&Jip<pQR83vV7-yho6riL=bus;)|yf9Nz$<i>4l=M6&68(N(SO`ue(rIF-mV5EH
zB}ob%Ibtisi>1O)lKF!vuL*`4m4_z$Fz1CixY3vOc6z5;pMFpak7q;ZQZy6@Byr|6
z#?#qMe<O@E?=n(%#ErFCGwk!?WpkK*v$wU;+vOQ^>>VkEx#nHRgF-RPX1s=-Ub{%x
z+vZ)lLbgOslbWWJ*|f}HREmY9pUW0X&}wB7QoFsKA|415si5GegG_&EfLtas;XvAJ
z!bA%=O76i`cjSD}izmWTa)9j_x7c&aI>j}V$_-G|2->U;u~G%Esj)H(W<;1AoHs=C
zZZf8noHvA63yhHUZ{9`e!h#?fx&j+@PKt?Cs$eo=5}PWP=4+-bO{uO_a6C)~sJfv-
zA;^?`!8^UDa((__BIl>G*<(XFKS&3I@l7l(Zt*rbE}7|(JlE1r??6vy=Ujqa`Ny7#
zLz0<H;$3U*Y*Jhm?h=m+h^$afu=91D>TPDyT&~A$ZC+DY+?`BjhcczkZ1Nbk{0$P6
zU?pUYw6=Ja?ltckDx##rl$EY|hV2OSD&u&;iG&#|c1Tm0NhC|*@vt=Fm%_myJ4Bmk
z!Bv~D=?{jPp;Dk1l8oE_EMV4g3HwvxI*f^B)??&^-yf9xOffF@;QkITERt5LOZyjJ
z$ZZ@QzTdO|z~Sxf{u8^8`o6bm6HXv|j%G8X6ln9VbfQ@5P9V!AGLK!p6N@y@_eSyL
zSTNF(D+GPvFwPTryseE_m-tiwU`ZV?pAS>LTDfdGOojm!$b#85a=(;#Djj^(lFPQ!
zgGRijL@o#GG!VyNd7gOX#K@1{Lf*p*dQhQ^t%;Z#y$AFV4u+1j1t+rCm6RG5Qp4Fz
zo}tP{a)GzW>+adpx&M*IxeZMt=k1Tvr|pFYa(6-zdk()FdxvvjVZ_^s>h?~bR%Tl_
z%vH_YM6QX-62SUc6~mE}xyp=7;!!LM#fn3pvNt!FV&fq#b{637p~GF>bFSHX{Hw<S
zd1kO-mJcHR%QI)d1a9;zQhsRvfqk8OE0vuA>Ff!dEPUEkPF*P>jY>nd>lL#e+<jo5
zOxl+%=%1Xe+r1EZZha8lLmutb?k*I={=J95*}S<?J*|=hiGuR|-3Jfue$qd*|I>T@
z!%uea^?mSAMM0(*D6@@HL7$?cQpmYq3{M8?cp{BgE=>+5hVf=oDq!a+`W@;^C;E$c
zfyy9E!eMGyWrhY5ekPj=l>9KM%JWz0Y{CNXO^kMrOmh$_;~PvD@k*)azTgpoM)wVR
zuH)r%IbW0X{oo{c^nOc?Zh!Q?NxUvR)INvji$uH=)%t{gfM?lzQGM?r{3f2pi#7WG
zK={9S?tZOC->C`5F+uEVjd~ok!F9mhf}eoAe!4~-wQvl$*TQwc1A^)M!rBjN6kQw1
z-j{)Izh0w8E%|MbpBMaH$T#3y<d}u;0Uj6pTN=NvR$a1i9q<*w5nQZlT5Hvm;0EB8
z-L-1k!u7y2f)7Ey>T0c`>oEEEEa{Kc>hF05*8_VZhl*|;f`0=24KuasaSO+Qy9K{Z
z@(*g&Q47a_2P}OWpA%e<+tuA0BWg_WQ^0lch`J!y%zshv8OYbRM$}coZvxl1N7R(y
z8Q?YD5p_*4eRf{g8PWGqitj$)Ljw`@p~wl}3A`G9ll*z$x^zT!2>uc9E$1TYs9@ty
zui!TzZ#W-Oqk<byzje<c9>IHo*Nh_`!Fk}-uSL|jg?9m8v~U9WDB>W0NWTj>XW=~X
z1;PJ;eAOiE30{TE?$XyI>XP8iz@NN^{0OGcCr#54H7(f0^R6X-6mq%<()=GnzwVug
zzF-r+10oN*ZMDb=Zvpl!Tn8K%d<gRTTcfJm!gm7aEc`IAhd9VS=^q4cwJ?qE5c~?{
zb?s4gR4_tS@eb(2Pa6L|u=km$>J@x1F7EXMQ8nPmFA6>a`CX$?bww~t=!Pw#?OlL;
z<8x7U&B7~yrv?8K@_W7>RVZn#Pk0M(6n>CD^ig2rYf-h_!YhD}3Vs0cHJ$L+!ZpAs
zNj<(F@~U-wp%>TYb=CZdqJsZ-jjFXBTkt#K(|KUGpK4I8&jp*`gndGvKxqHl?K>J&
z>vO{9|6BOej{dKOPy51d>&3o&wkwPHUn8p3DC*K~{JD63T;JD9)oKUo!ft;RKGmPy
z*2=u{&pKt%65&%l+3n97RO>pi`TRM)TCb<g|ApvN9oX%C;SW3fN5Nldt>bx-w}ZdJ
za+1EsP&<u>_y(JPjqv4LSXn+O{2l128T};a6>2VN=DQD_&(x@+e_EsSmzu$Jei}^Q
z?C3l+_;wI<{usO(#OtC@%RoN<-oj+x)C<YU-g}mu#+&&_PWHFpp+=ZgJMd65xSL@a
z_c}P|;86#UIe6T`mmECl;3)@BJ9x&yItcKL|I4lTiS!)Y>fjCscRRS(!DfBUe4~zh
z%)#RhzU1IZ2TwV8+QBmpR#HF4pXCnr9Ng;Q4hMHTxYxls2ah^<%)#RhzU1IZ2TwV8
z+QBmpHe0_Ozw94_JqNcsxWmES4(@eu&cUM&9&_-xgD*LF(!o;>o_6qzgLUEC^-qCY
z*mH2JgF75-&U<20sr5Q?djFti<f9HAbMUx>FFAP9!BY;NcJPdY%@Is&^4Hvh45s%Z
zY6joA;Vy4|gK8-S!zI;H2+}Qk4nNjHK;N)#auYLGIT}RY&fV|jswJI1KIqfu8hn1Y
zu9ePZ&$$Y=;5z`m(5RN;$e`}UC)K%UPpf}FcWu&dm3{}aw@JTsJLC5IgfD%Y^zH2;
z-^Tq`>D${xU;6f~f~9Y375!FD;{WmYD;O)KTVdtr4Gi1lTr)xk>a``F^Ln8=%mAmC
zGAVOO?`Gr8dxIH(*U^gh5D>jhc2sb2Cy^I|ZsF6vEm53i{Bq$3=xKg82Uq2N#k@a=
zy4E!`^>oi)Xgsbcy5+bl|8?Vk5fU2jw#UWMW^&wW?s)oNA`8Vout5Cek{dt$d)Y$s
z4^v=hbZ@bnJ3rZ6X#Okag-pg%7^LUU-veHC=WG_;D4ue=(!iu!SFW#LgPQ#Gl*bZr
UkzUHsaw4R06q1>r-odE-5B|5ZFaQ7m

literal 9848
zcmbuEYiL}@6~|{~tyW4bzmiRCH%+c1$B`6EUdf89IFTYhl-NbF7F(*F()Mb#dnH}G
z+P7@Ub{eHLVA4?3mV#;8S~i8a5Q<7DE^R;}1R6qVL`jQN@<Al|;65m#7-EV+J^wl9
zN~4kN1Uh&<^E-29=FFKhbLU>Y*xB_=Stz7}6jGn5B?_cUwbm?^J9M!_Rjak?Y8lIu
z_170rI$J*{`8AziB^mllY$`{!N^I1bn!bng$Qq^YrD8+PCt8pf`EioZlcaaeoa&%F
ze{Yqpzgnp?b@G)@b^j+{`AFx<uk!f$DAx~$m4a!<DSwLcV7&FmxW1w0FS-ydU#IPh
zmRG3?lJpY8#OW5+i;&qEvSIuCTHv?xgoE+@X4X4d&vt}$FU#BO`ECD$Rt&4pw7r<O
z?ziS0El+G(tMg<%`z>+*2Ie#D&*{q=RfLAWwy?0U*;=HRsT!hbOoCEx1^dfvH}?hF
zMJs--+xu5|K8e@ao@rl;RfM{QW%l^fKjiwrj;Ok#1!wP?(epif=3Si!@p4t{Kf867
z*RTGT&P{u7-O1hvkJlUFj>76ET7dCs$<<h%>!YCu6m_$ZPqIG-#qark4y5iH*30+b
ztqX(XU)1DNcWLh4&-IXF-rcg^`DC@OSnMyw>(_mN_4BE9x{&wQvmP0Re!Dxl9`ULB
zdwhu<)IY*JP2(Xwbd>X}WH)Bowu$EpMmoEf{WmTCfL|SwC%4XPe~w*ZzbCie(ER!9
zmPEJ8T!(q`-!u=aUZy$}qv~5wQ+bgeryM)HH}tTUk6q$*Pi)etU>8(-%eX<X{$rQf
z{%+AbPV;6xo_M~W^%vJA!TkmL`2;&+kks_LCE0P^O{@pG_VYI8e3BebX>r~9VKw=^
zMrX9{yn*ul?9gD`+r<Iu9kdtwqh)0}-lAoDb%za)KB4omOFU2biT;tF?$h$=g3i>m
z*ms&LTS-*BkK@La$F!W|%9Ph?Ime?ZceI@2(v)x3a*lUX4nGy|<G3&GfH##oP4h#k
zxP$l4M+DFd)-Q3H&)sQuqgs!{j#9o;@&lOdlE1s<{Ee>R`R6-%z48ZT9jPCT*WII=
zsc1R3|K@&~x17tzNe_15+(udtpp-9TL-HY6XKJqd+s5^H9%002h#wSReu)hZD_%f6
zcc9<9hV8-eqB-=*0s=ftPd%i?@j^0QnT#j?3gV&RI~+&(ki?VpmoMWu>$dDdd@RsT
zZF`9dl!E8yk2NWEa3qm-o;%#L>)Ci0M9_i-wE#8+C7n=**=ey=hgsaN4*r2U=FL`6
zLDI#4h7{rl={i;77vhkCh@zj{(Co^ghd$VoN_!4vhkjUnlso9>&=2K4`o*L?PWjVP
zo}~N;{U}w!t{z=f+Vc*VVP`cwnxG$*mB;cxC*-qyEmo<GLq^|v$Udke!31qDrUU=%
z7d?#W(C=%^>yV*Q9~Ed-%O9X}n#zHT^HO$5en!e2RDM~?eN_H|l*g(3nv^H0{7Wg%
zQ29+NQ(A`|jPZVN@p~43Xz>kVYNrnp-t9cETO=o2wVb0_Da?U)7?=6<;j(Nkt)oU$
zId?dvQi)PR|L1xcCU@8)k)IhXc*UaY5BQmsH>wJwZhpiY@mxl4d9CY?>~2;gnW8_K
z@luYTDXC;>lsYNtaZV=&-2uPgold0F5U9pojk_psOhUzhDW*zou~ZmIvV1t@)Kgb=
z%Aq83Kj-*4GGrj@v^i&EFFdI$Pi1}5#e6Uos;Om3U2Qs>8LXpD8rp+eyT$FbS<@eI
zY8Shs;U9CF>YR2b=#H&}lAmj6KjjsQem3K5YjawphOKRA&lR#I7!5UDPG-|GLZFf=
zmfT#nP$I3ERaGn`tt#^So)$P`$V;TWf}8d-gQX$N1|#@GX{VlSSY-~doMvISTsf)Y
zX}^>l;{F1Qc~V#qOnD@g8-hc~AHl*wlqxv&b;}(Tv?wK4w1DUiE&Sy0iY8jNN*f7{
zhIY7%){2~=!?RBNq?kyh3V}yVpRdqN8JZG!Desh@^e7-l3I#7ya)sNR{@j2&oXEN9
zZ1&_x&h^sXaP1DRE$(!7SSAI-lk@DJ+MFZ3U0q8Kw(Gy}NC+c8CnE)pw|lcklek-E
zE@T`)=mkEZV?l?o-hqLeSw%bAsrQTflF95yrqq>9o}}~OHV#U#5_t_;JDug`HMEZu
zDWv_B;jR@On=|0S_4!02%I4u6QtxLH$&!D{FO9h+f7r{8V1KQ;YAZF}VLvlc^7KOD
zEHv#|rCZA++MhD79vWCiJqaV+L9gUyinY=oS=#FOMQEkEwSBd#nN6pP>-HW#(zB<<
zeQw_g*L8O6pu@==qahek0<@t$ohX*#3G#9Y-P0~_qeWU_d!1Nv(i>~c6}$m|l+F{f
zcy}|eF60OR5=k7eoX=UkTDff6Px>ALWL575^=>KApY}d)$z|K=Mq^HWBA27y(U6Y8
z#c^tv4@~~iTgZ8ORST9W)7GRp)j4~06P^r?v{eT(*A+_JR#T&69hOm)jpaONhZFDJ
z-*xyv-O`3e%N6_M+&OdMiR_(Fq&-KEl+MwdUl?=RD7u|<=Txw*w=G4@(m-|>%R_+H
z$A}o7Il5c!adA8a%W89_Lm%E-YK*yYlSb1EWbUz^?)Z{vrXD{Kc|uOmI1nx#MEc3I
z)Il)uK!2Ibj~zbpY**(OR6e@z$g`q5kS*vZMbjR~C-=mjr0gjNTP)s9Yk0Wx7)c&`
ztWLe4l0%7ta@~DLkM4WkJ$Cr(oo>(b@lMwz87;n-DS9f1{**VM5DSW2<re)jo;sCC
z(=|#LhZCc8S1A=}!zesH2GWVaB3+3xbnb!u)Tqjg3@6-7HsvXKo~Y%=rqWKJ9(YSp
zYx|@N&My_%MqL*bUH}}rEF$3r0>7PftM1_UAANy7Lo!@gk?`7s3nXOxO0U$nseGP(
z>W`ILAB@jV>p!T}FEZdi(XZ}GSicZ}(cvR+g!RiYxSqJ`-LN`DWs~E=-Be#a7gi?>
zjuQ77Ttz%2?34c18(}pn{3`MNH^XXN_;v8Du(liHLH}OTpOE^uiEGL$)CGedCB7p3
zZ?u1)LjBg@D&iU8?eyjpj#a2@!tKPH;uY$;!PUg`!j$QR4?3_X2mOf(RcmlHajWoU
zs=w#m3Ux^Muf#R;6)J9Ul=y@&UWaOKRH#0Kqr^EwAMHnl>q-BS?GbfB_(kHX+K8GA
z+KatY!WXH2Yb>H>h5t@m-4apPgsbTdWlKDw=7e_<KhPD?FPxa~QQ`wb5p`4Q!4DE|
zrg@?MSHxB6i0Tl2pZM<YM$`#mF-P?Ye@gY+&PUX^a683w)vFOTA>2>AWs>G6{C(oh
zZ_xY<ZYRECaDw;*%?tKGzneH`aGv;r@Md~@y=R8{6OIwDdn=-*gbxva=^FV<_!4pb
z9Qj8$n9p^i{vg%g6pqqHtojtMt8C9+Dmt|L@J0>$z&nXI7+giXSvW`a)oUwNhrtgL
z_Zj>&@dlbF`h)&aV#i>#j|sm+^;IpE>X7h<#I+rj3g6GsK1h|q>#555Mx|;M?jo)p
zB73a*KH(D8KQvyca>BnM-u`N(8aH?&@p-HLgm5tatnkNZKUt}+8N88rP8eSWwvbWR
z4Gt6E6b|fnXrAW$C}cH1iI;Wxm=%n@O5RN2jxSiPI$u)Y&%$MTdoM|q`dCAm-ZrNE
zcOpl4n+eA%`X8sTG1FZlKX1w3(@JGJEKL1}MZcDo*G&J_P^RWB`9DOC<u=pXBF8eC
z=@%l$@|bC>jEiM46MuH5aV`0Ov{IQ~CR6`!BJZQ+G1H$#j%72`n<B^YY^FCfl&$!C
z3B+s2&vr_ZU?bH8Dfm8fPRq*`zSAHDc?*>{Voys7<Xc28-^v#Cheh6M=^rHCWY~l4
zi!`eJ$&d5<iE(@*Ap_(1MM8#edVMk_@Mikq_(B51rnf{NGJJvkz+m(@XE6Hvm%(Ts
zj7LS?|4tMn;VRM*0Oep@2Z99d3xINP&f;;4CoG<{c*^1#i)SsKvv}TO?I@AKz759w
z!H&f-i#sfiTij=H&f;;4CoG<{c*^1#i)SsKvv}TOBLwyOY%sQnp1;L0i#sfiTO7nE
zT&&mMsvo!5JRhMyY1L0zJY(^!#d8+VTWoB7p8wKOpxLoFW^sqbaf|yb&RINe@r1>b
z7Ef6`WAUuTa~98AY#e1g|D~gi=WlV$Vq8yxg!PJBjO$8}^!i&oZt;Z0lNL`|JY(^!
z#d8+VTda)dBJ9I;Do9{lr-B5=bt*{U4vXU!PljF#{Vep;(8bWtL#naljh0kn!Am#p
z?|G&Xpx^QC@Gcm<OrjCK$lKrGRbx7RYS_hh9{Q+nyx3Z=o7T%{BYi-iPdloyI5w<v
zu}O99-yd^#Kf!q`XJ6s0N%Gx$n42YUd7QbWMf4=!y<6nXoYP+(bnh)qoHt9}Bza3r
z^dxVVyeSqq{Qt;t?BQo!M^wjc`ZU5sYe4T#?Stoc&>h`gmnDw~?TziH>!;+oAKW{F
zM$k1AVr{kdGtxe1DpT3E|Dv?F)Kp9i4dIVoMzY7p-?MBP)SF-!r9LC>!M5&?NM;<p
zP|@iEE*X^0OC`*}JtgoT?leeG(T{HIE0QA@u(;H~9q1}(zd_`$QNCLH+$!xc6}vt9
zU9J6$v=7b&=pn}J_Pr!q)3uPLY@B|JX?`0QE%&eR-}gw(jvchTCGGcG4!2PK4=_oT
Ab^rhX

diff --git a/internal/router/ebpf_test.go b/internal/router/ebpf_test.go
index 4fd537ac..6d3b9e4a 100644
--- a/internal/router/ebpf_test.go
+++ b/internal/router/ebpf_test.go
@@ -1050,6 +1050,87 @@ func TestPortRestrictions(t *testing.T) {
 
 }
 
+func TestAgnosticRuleOrdering(t *testing.T) {
+	if err := setup("../config/test_port_based_rules.json"); err != nil {
+		t.Fatal(err)
+	}
+	defer xdpObjects.Close()
+
+	out, err := addDevices()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var packets [][]byte
+
+	for _, user := range out {
+		acl := config.GetEffectiveAcl(user.Username)
+
+		rules, err := routetypes.ParseRules(routetypes.PUBLIC, acl.Allow)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Populate expected
+		for _, rule := range rules {
+
+			for _, policy := range rule.Values {
+				if policy.Is(routetypes.STOP) {
+					break
+				}
+
+				// If we've got an any single port rule e.g 55/any, make sure that the proto is something that has ports otherwise the test fails
+				successProto := policy.Proto
+				if policy.Proto == routetypes.ANY && policy.LowerPort != routetypes.ANY {
+					successProto = routetypes.UDP
+				}
+
+				// Add matching/passing packet
+				packets = append(packets, createPacket(net.ParseIP(user.Address), net.IP(rule.Keys[0].IP[:]), int(successProto), int(policy.LowerPort)))
+			}
+		}
+
+	}
+	// We check that for both users, that they all pass. This effectively enables us to check that reordered rules are equal
+	for i := range packets {
+
+		packet := packets[i]
+
+		value, _, err := xdpObjects.bpfPrograms.XdpWagFirewall.Test(packet)
+		if err != nil {
+			t.Fatalf("program failed %s", err)
+		}
+
+		var iphdr ipv4.Header
+		err = iphdr.Parse(packet)
+		if err != nil {
+			t.Fatal("packet didnt parse as an IP header: ", err)
+		}
+		packet = packet[20:]
+
+		var pkt pkthdr
+		pkt.pktType = "unknown"
+
+		switch iphdr.Protocol {
+		case routetypes.UDP:
+			pkt.UnpackUdp(packet)
+		case routetypes.TCP:
+			pkt.UnpackTcp(packet)
+		case routetypes.ICMP:
+			pkt.UnpackIcmp(packet)
+		case routetypes.ANY:
+			pkt.UnpackAny(packet)
+
+		}
+		t.Log(iphdr.Src.String(), " -> ", iphdr.Dst.String(), ", proto "+pkt.String())
+
+		if value != XDP_PASS {
+
+			t.Fatalf("program did not XDP_PASS packet instead did: %s", result(value))
+		}
+	}
+}
+
 func TestLookupDifferentKeyTypesInMap(t *testing.T) {
 	if err := setup("../config/test_port_based_rules.json"); err != nil {
 		t.Fatal(err)
diff --git a/internal/router/xdp.c b/internal/router/xdp.c
index 81ba4df9..47cfa1a7 100644
--- a/internal/router/xdp.c
+++ b/internal/router/xdp.c
@@ -546,12 +546,18 @@ static __always_inline int conntrack(struct ip *ip_info)
 
             if (policy.policy_type & SINGLE)
             {
-                return (policy.lower_port == 0 || policy.lower_port == port);
+                if (policy.lower_port == 0 || policy.lower_port == port)
+                {
+                    return 1;
+                }
             }
 
             if (policy.policy_type & RANGE)
             {
-                return (policy.lower_port <= port && policy.upper_port >= port);
+                if (policy.lower_port <= port && policy.upper_port >= port)
+                {
+                    return 1;
+                }
             }
         }
     }