Require xt_CONNMARK and define its kernel config values

internal/firewall/iptables/iptables.go

@@ -185,7 +185,7 @@ func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
 	}
 
 	kernelErr := checkKernelModulesAreOK(c.modules.nfConntrack,
-		c.modules.xtConntrack, c.modules.xtConnmark)
+		c.modules.xtConntrack, c.modules.xtConnmark, c.modules.xtCONNMARK)
 
 	err = c.runIptablesInstructionsNoSave(ctx, ipv4Instructions)
 	if err != nil {

internal/firewall/iptables/kernel.go

@@ -11,6 +11,7 @@ type kernelModules struct {
 	nfConntrack  kernelModule
 	nfRejectIPv4 kernelModule
 	xtConnmark   kernelModule
+	xtCONNMARK   kernelModule
 	xtConntrack  kernelModule
 	xtReject     kernelModule
 }
@@ -26,6 +27,7 @@ func newKernelModules() kernelModules {
 		"nf_conntrack_netlink": &m.nfConntrack,
 		"nf_reject_ipv4":       &m.nfRejectIPv4,
 		"xt_connmark":          &m.xtConnmark,
+		"xt_CONNMARK":          &m.xtCONNMARK,
 		"xt_conntrack":         &m.xtConntrack,
 		"xt_REJECT":            &m.xtReject,
 	}

internal/mod/configgz_linux.go

@@ -81,8 +81,11 @@ func moduleNameToKernelFeatureGroups(moduleName string) (featureGroups [][]strin
 		// Netfilter Matches
 		"xt_conntrack": {{"CONFIG_NETFILTER_XT_MATCH_CONNTRACK"}},
 		"xt_connmark": {
-			{"CONFIG_NETFILTER_XT_CONNMARK"},
-			{"CONFIG_NETFILTER_XT_MATCH_CONNMARK", "CONFIG_NETFILTER_XT_TARGET_CONNMARK"},
+			{"CONFIG_NETFILTER_XT_MATCH_CONNMARK"},
+		},
+		"xt_CONNMARK": {
+			{"CONFIG_NETFILTER_XT_MATCH_CONNMARK"},
+			{"CONFIG_NETFILTER_XT_TARGET_CONNMARK"}, // older kernels
 		},
 		"xt_mark": {
 			{"CONFIG_NETFILTER_XT_MARK"},