Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported

2026-06-20 11:02:59 +02:00 · 2026-02-26 15:53:07 +00:00
parent dfac2b2f1a
commit a37354426b
16 changed files with 302 additions and 36 deletions
@@ -74,7 +74,7 @@ func PathMTUDiscover(ctx context.Context, icmpAddrs []netip.Addr, tcpAddrs []net
 	}
 	mtu, err = tcp.PathMTUDiscover(ctx, tcpAddrs, minMTU, maxPossibleMTU, tryTimeout, fw, logger)
 	if err != nil {
-		if errors.Is(err, iptables.ErrMarkMatchModuleMissing) {
+		if errors.Is(err, iptables.ErrKernelModuleMissing) {
 			logger.Debugf("aborting TCP path MTU discovery: %s", err)
 			if icmpSuccess {
 				return maxPossibleMTU, nil // only rely on ICMP PMTUD results
@@ -35,7 +35,7 @@ func getFirewall(t *testing.T) *firewall.Config {
 		noopLogger := &noopLogger{}
 		cmder := command.New()
 		var err error
-		testFirewall, err = firewall.NewConfig(t.Context(), noopLogger, cmder, nil, nil)
+		testFirewall, err = firewall.NewConfig(t.Context(), noopLogger, cmder, nil, nil, nil)
 		if errors.Is(err, iptables.ErrNotSupported) {
 			t.Skip("iptables not installed, skipping TCP PMTUD tests")
 		}
@@ -43,7 +43,7 @@ func findHighestMSSDestination(ctx context.Context, familyToFD map[int]fileDescr
 		if result.err != nil {
 			switch {
 			case err != nil: // error already occurred for another findMSS goroutine
-			case errors.Is(result.err, iptables.ErrMarkMatchModuleMissing):
+			case errors.Is(result.err, iptables.ErrKernelModuleMissing):
 				err = fmt.Errorf("finding MSS for %s: %w", result.dst, result.err)
 			case dst.Addr().Is6() && errors.Is(result.err, ip.ErrNetworkUnreachable):
 				// silently discard IPv6 network unreachable errors since they are common