Flush conntrack on every firewall enabling

internal/firewall/enable.go

@@ -121,6 +121,11 @@ func (c *Config) enable(ctx context.Context) (err error) {
 		return fmt.Errorf("running user defined post firewall rules: %w", err)
 	}
 
+	err = c.netlinker.FlushConntrack()
+	if err != nil {
+		c.logger.Warn("flushing conntrack failed: " + err.Error())
+	}
+
 	return nil
 }
 

internal/firewall/firewall.go

@@ -13,6 +13,7 @@ import (
 
 type Config struct {
 	runner        CmdRunner
+	netlinker     Netlinker
 	logger        Logger
 	defaultRoutes []routing.DefaultRoute
 	localNetworks []routing.LocalNetwork
@@ -35,8 +36,8 @@ type Config struct {
 // NewConfig creates a new Config instance and returns an error
 // if no iptables implementation is available.
 func NewConfig(ctx context.Context, logger Logger,
-	runner CmdRunner, defaultRoutes []routing.DefaultRoute,
-	localNetworks []routing.LocalNetwork,
+	runner CmdRunner, netlinker Netlinker,
+	defaultRoutes []routing.DefaultRoute, localNetworks []routing.LocalNetwork,
 ) (config *Config, err error) {
 	impl, err := iptables.New(ctx, runner, logger)
 	if err != nil {
@@ -45,6 +46,7 @@ func NewConfig(ctx context.Context, logger Logger,
 
 	return &Config{
 		runner:            runner,
+		netlinker:         netlinker,
 		logger:            logger,
 		allowedInputPorts: make(map[uint16]map[string]struct{}),
 		// Obtained from routing

internal/firewall/interfaces.go

@@ -19,6 +19,10 @@ type Logger interface {
 	Error(s string)
 }
 
+type Netlinker interface {
+	FlushConntrack() error
+}
+
 type firewallImpl interface { //nolint:interfacebloat
 	SaveAndRestore(ctx context.Context) (restore func(context.Context), err error)
 	AcceptEstablishedRelatedTraffic(ctx context.Context) error