Require xt_CONNMARK and define its kernel config values

internal/firewall/iptables/iptables.go

@@ -185,7 +185,7 @@ func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
 	}
 
 	kernelErr := checkKernelModulesAreOK(c.modules.nfConntrack,
-		c.modules.xtConntrack, c.modules.xtConnmark)
+		c.modules.xtConntrack, c.modules.xtConnmark, c.modules.xtCONNMARK)
 
 	err = c.runIptablesInstructionsNoSave(ctx, ipv4Instructions)
 	if err != nil {

internal/firewall/iptables/kernel.go

@@ -11,6 +11,7 @@ type kernelModules struct {
 	nfConntrack  kernelModule
 	nfRejectIPv4 kernelModule
 	xtConnmark   kernelModule
+	xtCONNMARK   kernelModule
 	xtConntrack  kernelModule
 	xtReject     kernelModule
 }
@@ -26,6 +27,7 @@ func newKernelModules() kernelModules {
 		"nf_conntrack_netlink": &m.nfConntrack,
 		"nf_reject_ipv4":       &m.nfRejectIPv4,
 		"xt_connmark":          &m.xtConnmark,
+		"xt_CONNMARK":          &m.xtCONNMARK,
 		"xt_conntrack":         &m.xtConntrack,
 		"xt_REJECT":            &m.xtReject,
 	}