Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported

2026-05-09 20:29:23 +02:00 · 2026-02-26 15:53:07 +00:00
parent dfac2b2f1a
commit a37354426b
16 changed files with 302 additions and 36 deletions
@@ -0,0 +1,47 @@
+package iptables
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/qdm12/gluetun/internal/mod"
+)
+
+type kernelModules struct {
+	nfConntrack kernelModule
+	xtConnmark  kernelModule
+	xtConntrack kernelModule
+}
+
+type kernelModule struct {
+	name string
+	ok   bool
+}
+
+func newKernelModules() kernelModules {
+	var m kernelModules
+	nameToFieldPtr := map[string]*kernelModule{
+		"nf_conntrack_netlink": &m.nfConntrack,
+		"xt_connmark":          &m.xtConnmark,
+		"xt_conntrack":         &m.xtConntrack,
+	}
+	for name, fieldPtr := range nameToFieldPtr {
+		fieldPtr.name = name
+		err := mod.Probe(name)
+		fieldPtr.ok = err == nil
+	}
+	return m
+}
+
+func checkKernelModulesAreOK(modules ...kernelModule) error {
+	missing := make([]string, 0, len(modules))
+	for _, module := range modules {
+		if !module.ok {
+			missing = append(missing, module.name)
+		}
+	}
+	if len(missing) > 0 {
+		return fmt.Errorf("%w: %s", ErrKernelModuleMissing, strings.Join(missing, ", "))
+	}
+	return nil
+}