chore(firewall/iptables): modprobe and cache support for xt_mark and nf_tables

internal/firewall/iptables/firewall.go

@@ -3,6 +3,8 @@ package iptables
 import (
 	"context"
 	"sync"
+
+	"github.com/qdm12/gluetun/internal/mod"
 )
 
 type Config struct {
@@ -14,6 +16,8 @@ type Config struct {
 	// Fixed state
 	ipTables  string
 	ip6Tables string
+	nftables  bool
+	xtMark    bool
 }
 
 func New(ctx context.Context, runner CmdRunner, logger Logger) (*Config, error) {
@@ -27,10 +31,21 @@ func New(ctx context.Context, runner CmdRunner, logger Logger) (*Config, error)
 		return nil, err
 	}
 
+	modules := map[string]bool{
+		"xt_mark":   false,
+		"nf_tables": false,
+	}
+	for module := range modules {
+		err := mod.Probe(module)
+		modules[module] = err == nil
+	}
+
 	return &Config{
 		runner:    runner,
 		logger:    logger,
 		ipTables:  iptables,
 		ip6Tables: ip6tables,
+		nftables:  modules["nf_tables"],
+		xtMark:    modules["xt_mark"],
 	}, nil
 }

internal/firewall/iptables/tcp.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"os"
 )
 
 type tcpFlags struct {
@@ -74,8 +73,7 @@ func (c *Config) TempDropOutputTCPRST(ctx context.Context,
 	src, dst netip.AddrPort, excludeMark int) (
 	revert func(ctx context.Context) error, err error,
 ) {
-	_, err = os.Stat("/usr/lib/xtables/libxt_mark.so")
+	if !c.nftables && !c.xtMark {
-	if err != nil && errors.Is(err, os.ErrNotExist) {
 		return nil, fmt.Errorf("%w", ErrMarkMatchModuleMissing)
 	}