From 594b1db98bec7a166f86790a07aad462ed94f21b Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Sat, 28 Feb 2026 15:13:23 +0000
Subject: [PATCH] Require xt_CONNMARK and define its kernel config values

---
 internal/firewall/iptables/iptables.go | 2 +-
 internal/firewall/iptables/kernel.go   | 2 ++
 internal/mod/configgz_linux.go         | 7 +++++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/internal/firewall/iptables/iptables.go b/internal/firewall/iptables/iptables.go
index e126acbd..b3e1106c 100644
--- a/internal/firewall/iptables/iptables.go
+++ b/internal/firewall/iptables/iptables.go
@@ -185,7 +185,7 @@ func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
 	}
 
 	kernelErr := checkKernelModulesAreOK(c.modules.nfConntrack,
-		c.modules.xtConntrack, c.modules.xtConnmark)
+		c.modules.xtConntrack, c.modules.xtConnmark, c.modules.xtCONNMARK)
 
 	err = c.runIptablesInstructionsNoSave(ctx, ipv4Instructions)
 	if err != nil {
diff --git a/internal/firewall/iptables/kernel.go b/internal/firewall/iptables/kernel.go
index a7ed2fea..9f54f044 100644
--- a/internal/firewall/iptables/kernel.go
+++ b/internal/firewall/iptables/kernel.go
@@ -11,6 +11,7 @@ type kernelModules struct {
 	nfConntrack  kernelModule
 	nfRejectIPv4 kernelModule
 	xtConnmark   kernelModule
+	xtCONNMARK   kernelModule
 	xtConntrack  kernelModule
 	xtReject     kernelModule
 }
@@ -26,6 +27,7 @@ func newKernelModules() kernelModules {
 		"nf_conntrack_netlink": &m.nfConntrack,
 		"nf_reject_ipv4":       &m.nfRejectIPv4,
 		"xt_connmark":          &m.xtConnmark,
+		"xt_CONNMARK":          &m.xtCONNMARK,
 		"xt_conntrack":         &m.xtConntrack,
 		"xt_REJECT":            &m.xtReject,
 	}
diff --git a/internal/mod/configgz_linux.go b/internal/mod/configgz_linux.go
index 54c30404..eb84dc49 100644
--- a/internal/mod/configgz_linux.go
+++ b/internal/mod/configgz_linux.go
@@ -81,8 +81,11 @@ func moduleNameToKernelFeatureGroups(moduleName string) (featureGroups [][]strin
 		// Netfilter Matches
 		"xt_conntrack": {{"CONFIG_NETFILTER_XT_MATCH_CONNTRACK"}},
 		"xt_connmark": {
-			{"CONFIG_NETFILTER_XT_CONNMARK"},
-			{"CONFIG_NETFILTER_XT_MATCH_CONNMARK", "CONFIG_NETFILTER_XT_TARGET_CONNMARK"},
+			{"CONFIG_NETFILTER_XT_MATCH_CONNMARK"},
+		},
+		"xt_CONNMARK": {
+			{"CONFIG_NETFILTER_XT_MATCH_CONNMARK"},
+			{"CONFIG_NETFILTER_XT_TARGET_CONNMARK"}, // older kernels
 		},
 		"xt_mark": {
 			{"CONFIG_NETFILTER_XT_MARK"},