From 3eebbf65a8b4074bd663fd07da7f74c8b6f44dfb Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Sat, 23 May 2026 21:26:08 +0000
Subject: [PATCH] hotfix(firewall/iptables): only restore firewall if IPv6 port
 redirection failed but NAT is supported

---
 internal/firewall/iptables/iptables.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/firewall/iptables/iptables.go b/internal/firewall/iptables/iptables.go
index 7690d8e8..c4887929 100644
--- a/internal/firewall/iptables/iptables.go
+++ b/internal/firewall/iptables/iptables.go
@@ -278,7 +278,6 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			appendOrDelete(remove), interfaceFlag, destinationPort),
 	})
 	if err != nil {
-		restore(ctx) // just in case
 		errMessage := err.Error()
 		if strings.Contains(errMessage, "can't initialize ip6tables table `nat': Table does not exist") {
 			if !remove {
@@ -286,6 +285,7 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			}
 			return nil
 		}
+		restore(ctx)
 		return fmt.Errorf("redirecting IPv6 source port %d to destination port %d on interface %s: %w",
 			sourcePort, destinationPort, intf, err)
 	}