Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported

2026-05-09 20:29:23 +02:00 · 2026-02-26 15:53:07 +00:00
parent dfac2b2f1a
commit a37354426b
16 changed files with 302 additions and 36 deletions
@@ -1,6 +1,7 @@
 package netlink

 import (
+	"errors"
 	"fmt"

 	"github.com/mdlayher/netlink"
@@ -8,7 +9,13 @@ import (
 	"golang.org/x/sys/unix"
 )

+var ErrConntrackNetlinkNotSupported = errors.New("nf_conntrack_netlink is not supported by the kernel")
+
 func (n *NetLink) FlushConntrack() error {
+	if !n.conntrackNetlink {
+		return fmt.Errorf("%w", ErrConntrackNetlinkNotSupported)
+	}
+
 	conn, err := netfilter.Dial(nil)
 	if err != nil {
 		return fmt.Errorf("dialing netfilter: %w", err)
@@ -2,6 +2,10 @@

 package netlink

+import "errors"
+
+var ErrConntrackNetlinkNotSupported = errors.New("error not implemented")
+
 func (n *NetLink) FlushConntrack() error {
 	panic("not implemented")
 }
@@ -1,14 +1,22 @@
 package netlink

-import "github.com/qdm12/log"
+import (
+	"github.com/qdm12/gluetun/internal/mod"
+	"github.com/qdm12/log"
+)

 type NetLink struct {
 	debugLogger DebugLogger
+
+	// Fixed state
+	conntrackNetlink bool
 }

 func New(debugLogger DebugLogger) *NetLink {
+	conntrackNetlink := mod.Probe("nf_conntrack_netlink") == nil
 	return &NetLink{
-		debugLogger: debugLogger,
+		debugLogger:      debugLogger,
+		conntrackNetlink: conntrackNetlink,
 	}
 }