On new versions, all internet traffic escapes VPN when 10.0.0.0/8 is excluded with netfilter (Linux)

[termermc]

Is it a bug?

• I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

• I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

When excluding traffic to and from 10.0.0.0/8 by setting ctmark 0x00000f41 and fwmark 0x6d6f6c65 on outgoing and incoming traffic to and from 10.0.0.0/8, all internet traffic is excluded and sent over the host's internet connection, rather than being tunneled.

Expected Behavior

When excluding traffic to and from 10.0.0.0/8 by setting ctmark 0x00000f41 and fwmark 0x6d6f6c65 on outgoing and incoming traffic to and from 10.0.0.0/8, only that traffic should be excluded.

Steps to Reproduce

1. Update to app 2024.4
2. Apply the following netfilter ruleset:

define EXCLUDED_IPS_V4 = {
    10.0.0.0/8,
}

table inet excludeTraffic {
    chain excludeOutgoing1 {
        type route hook output priority 0; policy accept;
        ip daddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    }

    chain allowIncoming {
        type filter hook input priority -100; policy accept;
        ip daddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    }

    chain allowOutgoing2 {
        type route hook output priority -100; policy accept;
        ip saddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    }
}

3. Check your external IP address

Failure Logs

No response

Operating system version

Linux 6.8.9-arch1-2

Mullvad VPN app version

Broke in 2024.2. Worked fine on 2024.1.

Additional Information

This was not the result of a kernel upgrade because it started happening immediately after updating Mullvad without restarting my system.