Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported

2026-05-10 04:30:20 +02:00 · 2026-02-26 15:53:07 +00:00
parent dfac2b2f1a
commit a37354426b
16 changed files with 302 additions and 36 deletions
@@ -0,0 +1,27 @@
+package firewall
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/qdm12/gluetun/internal/netlink"
+)
+
+// Note remove is a no-op if conntrack netlink is supported by the kernel.
+func (c *Config) flushExistingConnections(ctx context.Context) error {
+	err := c.netlinker.FlushConntrack()
+	switch {
+	case err == nil:
+		return nil
+	case errors.Is(err, netlink.ErrConntrackNetlinkNotSupported):
+		c.logger.Debugf("falling back to marking and filtering unmarked packets because flush conntrack failed: %s", err)
+		err = c.impl.AcceptOutputPublicOnlyNewTraffic(ctx)
+		if err != nil {
+			return fmt.Errorf("accepting only new output public traffic: %w", err)
+		}
+		return nil
+	default:
+		return fmt.Errorf("flushing conntrack: %w", err)
+	}
+}