Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported

2026-05-09 20:29:23 +02:00 · 2026-02-26 15:53:07 +00:00
parent dfac2b2f1a
commit a37354426b
16 changed files with 302 additions and 36 deletions
@@ -1,6 +1,7 @@
 package netlink

 import (
+	"errors"
 	"fmt"

 	"github.com/mdlayher/netlink"
@@ -8,7 +9,13 @@ import (
 	"golang.org/x/sys/unix"
 )

+var ErrConntrackNetlinkNotSupported = errors.New("nf_conntrack_netlink is not supported by the kernel")
+
 func (n *NetLink) FlushConntrack() error {
+	if !n.conntrackNetlink {
+		return fmt.Errorf("%w", ErrConntrackNetlinkNotSupported)
+	}
+
 	conn, err := netfilter.Dial(nil)
 	if err != nil {
 		return fmt.Errorf("dialing netfilter: %w", err)